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Abstract 

The  use  of  shared  mutable  state,  commonly  seen  in  object-oriented  systems,  is  often  problem¬ 
atic  due  to  the  potential  conflicting  interactions  between  aliases  to  the  same  state.  We  present  a 
substructural  type  system  outfitted  with  a  novel  lightweight  interference  control  mechanism,  rely- 
guarantee  protocols,  that  enables  controlled  aliasing  of  shared  resources.  By  assigning  each  alias 
separate  roles,  encoded  in  a  novel  protocol  abstraction  in  the  spirit  of  rely-guarantee  reasoning, 
our  type  system  ensures  that  challenging  uses  of  shared  state  will  never  interfere  in  an  unsafe  fash¬ 
ion.  In  particular,  rely-guarantee  protocols  ensure  that  each  alias  will  never  observe  an  unexpected 
value,  or  type,  when  inspecting  shared  memory  regardless  of  how  the  changes  to  that  shared  state 
(originating  from  potentially  unknown  program  contexts)  are  interleaved  at  run-time. 
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1  Introduction 


Shared,  mutable  state  can  be  useful  in  certain  algorithms,  in  modeling  stateful  systems,  and  in 
structuring  programs.  However,  it  can  also  make  reasoning  about  a  program  more  difficult,  poten¬ 
tially  resulting  in  run-time  errors.  If  two  pieces  of  code  have  references  to  the  same  location  in 
memory,  and  one  of  them  updates  the  contents  of  that  cell,  the  update  may  destructively  interfere 
by  breaking  the  other  piece  of  code’s  assumptions  about  the  properties  of  the  value  contained  in  that 
cell — which  may  cause  the  program  to  compute  the  wrong  result,  or  even  to  abruptly  terminate.  In 
order  to  mitigate  this  problem,  static  type  systems  conservatively  associate  an  invariant  type  with 
each  location,  and  ensure  that  every  store  to  the  location  preserves  this  type.  While  this  approach 
can  ensure  basic  memory  safety,  it  cannot  check  higher-level  protocol  properties  [1,4,5, 13,20] 
that  are  vital  to  the  correctness  of  many  programs  [3] . 

For  example,  consider  a  Pipe  abstraction  that  is  used  to  communicate  between  two  parts  of 
the  program.  A  pipe  is  open  while  the  communication  is  ongoing,  but  when  the  pipe  is  no  longer 
needed  it  is  closed.  Pipes  include  shared,  mutable  state  in  the  form  of  an  internal  buffer,  and 
abstractions  such  as  Java’s  PipedlnputStream  also  dynamically  track  whether  they  are  in  the 
open  or  closed  state.  The  state  of  the  pipe  determines  what  operations  may  be  performed,  and 
invoking  an  inappropriate  operation  is  an  error:  for  example,  writing  to  a  closed  pipe  in  Java 
results  in  a  run-time  exception. 

Static  approaches  to  reason  about  such  state  protocols  (of  which  we  follow  the  type  state  [7, 
21,27,28]  approach)  have  two  advantages:  errors  such  as  writing  to  a  closed  pipe  can  be  avoided 
on  the  one  hand,  and  defensive  run-time  tests  of  the  state  of  an  object  can  become  superfluous  on 
the  other  hand.  In  typestate  systems,  abstractions  expose  a  more  refined  type  that  models  a  set  of 
abstract  states  representing  the  internal,  changing,  type  of  the  state  (such  as  the  two  states  above, 
open  and  closed)  enabling  the  static  modular  manipulation  of  stateful  objects.  However,  sharing 
(such  as  by  aliasing)  these  resources  must  be  carefully  controlled  to  avoid  potentially  destructive 
interference  that  may  result  from  mixing  incompatible  changes  to  apparently  unrelated  objects 
that,  in  reality,  are  connected  to  the  same  underlying  run-time  object.  This  work  aims  to  provide 
an  intuitive  and  general-purpose  extension  to  the  typestate  model  by  exploiting  (coordination)  pro¬ 
tocols  at  the  shared  state  level  to  allow  fine-grained  and  flexible  uses  of  aliased  state.  Therefore, 
by  modeling  the  interactions  of  aliases  of  some  shared  state  in  a  protocol  abstraction,  we  enable 
complex  uses  of  sharing  to  safely  occur  through  benign  interference,  interference  that  the  other 
aliases  expect  and/or  require  to  occur. 

Consider  once  more  the  pipe  example.  The  next  two  code  blocks  implement  simplified  versions 
of  the  pipe’s  put  and  tryTake  functions.  Although  each  function  operates  independently  of  the 
other,  internally  they  share  nodes  of  the  same  underlying  buffer: 
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//  protocol:  Empty  Filled;  none 
put  =  fun(  V  :  Value  ) . 

//  Empty  shared  node,  oldlast,  to  be  filled  with  node 
//  containing  tagged  (#)  empty  record,  {),  as  ‘Empty’ 
let  last  =  new  Empty#{}  in 
let  oldlast  =  ! buffer. tail  in  // is  Empty 
//  tags  pair  of  ‘v’  and  ‘last’  as  ‘Filled’ 
oldlast  :=  Filled#!  v  ,  last  }; 
buffer. tail  :=  last 
end  //  last  cell  is  now  reachable  from  head&tail 
end  //  oldlast  cell  unreachable  from  tail 

By  distributing  these  funetions  between  two  aliases,  we  are  able  to  ereate  independent  producer 
and  consumer  eomponents  of  the  pipe  that  share  a  common  buffer  (modeled  as  a  singly-linked 
list).  Observe  how  the  interaction,  that  occurs  through  aliases  of  the  buffer’s  nodes,  obeys  a  well- 
defined  protocol:  the  producer  alias  (through  the  put  function)  inserts  an  element  into  the  last 
(empty)  node  of  the  buffer  and  then  immediately  forfeits  that  cell  (i.e.  it  is  no  longer  used  by  that 
alias);  while  the  consumer  alias  (using  tryTake)  proceeds  by  testing  the  first  node  and,  when  it 
detects  it  has  been  Filled  (thus,  when  the  other  alias  is  sure  to  no  longer  use  it),  recovers  own¬ 
ership  of  that  node,  which  enables  the  alias  to  safely  delete  that  cell  (first)  since  it  is  no  longer 
shared. 

1.1  Approach  in  a  Nutshell 

Interference  due  to  aliasing  is  analogous  to  the  interference  caused  by  thread  interleaving  [15, 32]. 
This  occurs  because  mutable  state  may  be  shared  by  aliases  in  unknown  or  non-local  program 
contexts.  Such  boundary  effectively  negates  the  use  of  static  mechanisms  to  track  exactly  which 
other  variables  alias  some  state.  Therefore,  we  are  unable  to  know  precisely  if  the  shared  state 
aliased  by  a  local  variable  will  be  used  when  the  execution  jumps  off  (e.g.  through  a  function 
call)  to  non-local  program  contexts.  However,  if  that  state  is  used,  then  the  aliases  may  change 
the  state  in  ways  that  invalidate  the  local  alias’  assumptions  on  the  current  contents  of  the  shared 
state.  This  interference  caused  by  “alias  interleaving”  occurs  even  without  concurrency,  but  is 
analogous  to  how  thread  interleaving  may  affect  shared  state.  Consequently,  techniques  to  reason 
about  thread  interference  (such  as  rely-guarantee  reasoning  [17])  can  be  useful  to  reason  about 
aliasing  even  in  our  sequential  setting.  The  core  principle  of  rely-guarantee  reasoning  that  we 
adapt  is  its  mechanism  to  make  strong  local  assumptions  in  the  face  of  interference.  To  handle 
such  interference,  each  alias  has  its  actions  constrained  to  fit  within  a  guarantee  type  and  at  the 
same  time  is  free  to  assume  that  the  changes  done  by  other  aliases  of  that  state  must  fit  within  a 
rely  type.  The  duality  between  what  aliases  can  rely  on  and  must  guarantee  among  themselves 
yields  significant  flexibility  in  the  use  of  shared  state,  when  compared  for  instance  to  traditional 
invariant-based  sharing. 

We  employ  rely-guarantee  in  a  novel  protocol  abstraction  that  captures  a  partial  view  of  the  use 
of  the  shared  state,  as  seen  from  the  perspective  of  an  alias.  Therefore,  each  protocol  models  the 
constraints  on  the  actions  of  that  alias  and  is  only  aware  of  the  resulting  effects  (“interference”) 


//  rec  X.{  Empty  ^  Empty;  X  ©  Filled  =>  none  ) 
tryTake  =  fun() . 
let  first  =  (buffer. head  in 
case  [first  of 
Empty#_  — >  NoResult#!} 

I  Filled#!  V  ,  next  ]  ^ 

//  does  not  return  ownership  to  the  protocol 
delete  first; 
buffer. head  :=  next; 

Result#v 

end 

end 
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that  may  appear  in  the  shared  state  due  to  the  interleaved  uses  of  that  shared  state  as  done  by 
other  aliases.  A  rely-guarantee  protoeol  is  formed  by  a  sequenee  of  rely-guarantee  steps.  Eaeh 
step  eontains  a  rely  type,  stating  what  an  alias  eurrently  assumes  the  shared  state  eontains;  and  a 
guarantee  type,  a  promise  that  the  ehanges  done  by  that  alias  will  fit  within  this  type.  Using  these 
small  building  bloeks,  our  teehnique  allows  strong  loeal  assumption  on  how  the  shared  state  may 
ehange,  while  not  knowing  when  or  if  other  aliases  to  that  shared  state  will  be  used — only  how 
they  will  internet  with  the  shared  state,  if  used.  Sinee  eaeh  step  in  a  protoeol  ean  have  distinet  rely 
and  guarantee  types,  a  protocol  is  not  frozen  in  time  and  can  model  different  “temporal”  uses  of 
the  shared  state  directly.  A  protocol  is,  therefore,  an  abstracted  perspective  on  the  actions  done  by 
each  individual  alias  to  the  shared  state,  and  that  is  only  aware  of  the  potential  resulting  effects  of 
all  the  other  aliases  of  that  shared  state.  A  protocol  conformance  mechanism  ensures  the  sound 
composition  of  all  protocols  to  the  same  shared  state,  at  the  moment  of  their  creation.  From  there 
on,  each  protocol  is  stable  (i.e.  immune  to  unexpected/destructive  interference)  since  conformance 
attested  that  each  protocol,  in  isolation,  is  aware  of  all  observable  effects  that  may  occur  from  all 
possible  “alias  interleaving”  originated  from  the  remaining  aliases. 

Our  main  contribution  is  a  novel  type-based  protocol  abstraction  to  reason  about  shared  muta¬ 
ble  state,  rely-guarantee  protocols,  that  captures  the  following  features: 

1.  Each  protocol  provides  a  local  type  so  that  an  alias  need  not  know  the  actions  that  other 
aliases  are  doing,  only  their  resulting  (observable)  effect  on  the  shared  state; 

2.  Sharing  can  be  done  asymmetrically  so  that  the  role  of  each  alias  in  the  interaction  with  the 
shared  state  may  be  distinct  from  the  rest; 

3.  Our  protocol  paradigm  is  able  to  scale  by  modeling  sharing  interactions  both  at  the  reference 
level  and  also  at  the  abstract  state  level.  Therefore,  sharing  does  not  need  to  be  embedded  in 
an  ADT  [18],  but  can  also  work  at  the  ADT  level  without  requiring  a  wrapper  reference  [15]; 

4.  State  can  be  shared  individually  or  simultaneously  in  groups  of  state.  By  enabling  sharing 
to  occur  underneath  a  layer  of  apparently  disjoint  state,  we  naturally  support  the  notion  of 
fictional  disjointness  [9, 16, 18]; 

5.  Our  protocol  abstraction  is  able  to  model  complex  interactions  that  occur  through  the  shared 
state.  These  include  invariant,  monotonic  and  other  coordinated  uses.  Moreover,  they  enable 
both  ownership  transfer  of  state  between  non-local  program  contexts  and  ownership  recov¬ 
ery.  Therefore,  shared  state  can  return  to  be  non-shared,  even  allowing  it  to  be  later  shared 
again  and  in  such  a  way  that  is  completely  unrelated  to  its  previous  sharing  phases; 

6.  Although  protocol  conformance  is  checked  in  pairs,  arbitrary  aliasing  is  possible  (if  safe) 
by  further  sharing  a  protocol  in  ways  that  do  not  conflict  with  the  initial  sharing.  Therefore, 
global  conformance  in  the  use  of  the  shared  state  by  multiple  aliases  is  assured  by  the  combi¬ 
nation  of  individual  binary  protocol  splits,  with  each  split  sharing  the  state  without  breaking 
what  was  previously  assumed  on  that  state; 
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7.  We  allow  temporary  inconsistencies,  so  that  the  shared  state  may  undergo  intermediate  (pri¬ 
vate)  states  that  eannot  be  seen  by  other  aliases.  Using  an  idea  similar  to  (statie)  mutual 
exelusion,  we  ensure  that  the  same  shared  state  eannot  be  inspeeted  while  it  is  ineonsistent. 
Sueh  kind  of  eritieal  seetion  (that  does  not  ineur  in  any  run-time  overhead)  is  suffieiently 
flexible  to  support  multiple  simultaneously  ineonsistent  states,  when  they  are  sure  to  not  be 
aliasing  the  same  shared  state. 

With  this  teehnique  we  are  able  to  model  ehallenging  uses  of  aliasing  in  a  lightweight  substrue- 
tural  type  system,  where  all  sharing  is  eentered  on  a  simple  and  intuitive  protoeol  abstraetion.  We 
believe  that  by  speeializing  our  system  to  typestate  and  aliasing  [1,26]  properties  we  ean  offer  a 
useful  intermediate  point  that  is  simpler  than  the  full  funetional  verifieation  embodied  in  separa¬ 
tion  logie  [6,  24]  yet  more  expressive  than  eonventional  type  systems.  Our  proofs  of  soundness 
use  standard  progress  and  preservation  theorems.  We  show  that  all  allowed  interferenee  is  benign 
(i.e.  that  all  ehanges  to  the  shared  state  are  expeeted  by  eaeh  alias  of  that  state)  by  ensuring  that  a 
program  eannot  get  stuek,  while  still  enabling  the  shared  state  to  be  legally  used  in  eomplex  ways. 
Besides  the  benefit  of  expressing  the  programmer’s  intent  in  the  types,  our  teehnique  also  enables 
a  program  to  be  free  of  errors  related  to  destruetive  interferenee.  For  instanee,  the  programmer  will 
not  be  able  to  wrongly  attempt  to  use  a  shared  eell  as  if  it  were  no  longer  shared,  or  leave  values  in 
that  shared  eell  that  are  not  expeeted  by  the  other  aliases  of  that  eell. 


2  Pipe  Example 

Our  language  is  based  on  the  polymorphie  d-ealeulus  with  mutable  referenees,  immutable  reeords, 
tagged  sums  and  reeursive  types.  Teehnieally,  we  build  on  [21]  (a  variant  of  [1]  adapted  for 
usability)  by  supporting  sharing  of  mutable  state  through  rely-guarantee  protoeols.  As  in  L^,  a  eell 
is  deeomposed  in  two  eomponents:  a  pure  reference  (that  ean  be  freely  eopied),  and  a  linear  [14] 
capability  used  to  traek  the  eontents  of  that  eell.  Unlike  L^,  by  extending  [21]  our  language  implie- 
itly  threads  eapabilities  through  the  eode,  redueing  syntaetie  overhead.  To  support  this  separation 
of  referenees  and  eapabilities,  our  language  uses  loeation-dependent  types  to  relate  a  referenee  to 
its  respeetive  eapability.  Therefore,  a  referenee  has  a  type  “ref  t”  to  mean  a  referenee  to  a  loea- 
tion  t,  where  the  information  about  the  eontents  of  that  loeation  is  stored  in  the  eapability  for  t. 
Our  eapabilities  follow  the  format  “rw  t  A”  meaning  a  read-write  eapability  to  loeation  t  whieh, 
eurrently,  has  eontents  of  type  A  stored  in  it.  The  permission  to  aeeess,  sueh  as  by  dereferenee, 
the  eontents  of  a  eell  requires  both  the  referenee  and  the  eapability  to  be  available.  Capabilities 
are  typing  artifaets  that  do  not  exist  at  run-time  and  are  moved/thread  implieitly  through  the  eode. 
Loeations  (sueh  as  t)  must  be  managed  explieitly,  leading  to  eonstruets  dedieated  to  abstraeting 
and  opening  loeations. 

Pipes  are  used  to  support  a  consumer-producer  style  of  interaetion  (using  a  shared  internal 
buffer  as  mediator),  often  used  in  a  eoneurrent  program  but  here  used  in  a  single-threaded  environ¬ 
ment.  The  shared  internal  buffer  is  implemented  as  a  shared  singly-linked  list  where  the  eonsumer 
keeps  a  pointer  to  the  head  of  the  list  and  the  produeer  to  its  tail.  By  partitioning  the  pipe’s  fune- 
tions  (where  the  eonsumer  alias  uses  tryTake,  and  the  produeer  both  put  and  close),  elients  of 
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the  pipe  ean  work  independently  of  one  another,  provided  that  the  funetions’  implementation  is 
aware  of  the  potential  interferenee  eaused  by  the  aetions  of  the  other  alias.  It  is  on  speeifying  and 
verifying  this  interferenee  that  our  rely-guarantee  protoeols  will  be  used. 

1  let  newPipe  =  fun(  _  :  []  ) . 

r  -  _  :  I  A  =  • 

2  open  <n,node>  =  new  Empty#{}  in 

r  =  _  :  [],node  :  ref  n,n  :  loc  |  A  =  rw  n  Empty#[] 

3  share  (rw  n  Empty# [])  as  H[n]  | |  T[n]; 

r  =  ...  I  A  =  J[n],  H[n] 

4  open  <h,head>  =  new  <n,  node::H[n]>  in 

r  =  ...,head  :  ref  h,h  :  loc  |  A  =  T[n],rw  h  3p.(ref  p  ::  H[p]) 

5  open  <t,tail>  =  new  <n,  node::T[n]>  in 

r  =  ...,  tail  :  ref  t,  t :  loc  |  A  -  rw  t  3p.(ref  p  ::  T[p]), ... 

6  <  rw  h  exists  p.(ref  p  ::  H[p]),  // packs  a  type,  the  capability  to  location ’h’ 

7  <  rw  t  exists  p.(ref  p  ::  T[p]),  // packs  a  type,  the  capability  to  location ’f 

8  {  //  creates  labeled  record  with  ’put’,  ’close’  and  ’tryTake’  as  members 

9  put  =  fun(  e  :  int  : :  rw  t  exists  p.(ref  p  ::  T[p])  )./*... shown  in  Section  4...*/, 

19  close  =  fun(  _  :  []  :  :  rw  t  exists  p.fref  p  ::  T[p])  )./*...*/, 

26  tryTake  =  fun(  _  :  []  :  :  rw  h  exists  p.(ref  p  ::  H[p])  )./*...*/ 

47  }  :  :  (  rw  h  exists  p.(ref  p  ::  H[p])  *  rw  t  exists  p.(ref  p  ::  T[p])  )  >  > 

48  end 

49  end 

50  end 

The  function  creates  a  pipe  by  allocating  an  initial  node  for  the  internal  buffer,  a  cell  to  be 
shared  by  the  head  and  tail  pointers.  The  newly  allocated  cell  (line  2)  contains  a  tagged  (as 
Empty)  empty  record  ({}).  In  our  language,  aliasing  information  is  correlated  through  static  names, 
locations,  such  that  multiple  references  to  the  same  location  must  imply  that  these  references  are 
aliases  of  the  same  cell.  Consequently,  the  new  construct  (line  2)  must  be  assigned  a  type  that 
abstracts  the  concrete  location  that  was  created,  3t.(  ref  t  ::  rw  t  Empty#[]  ),  which  means  that 
there  exists  some  fresh  location  t,  and  the  new  expression  evaluates  to  a  reference  to  t  (“ref  t”). 
We  associate  this  reference  with  a  capability  to  access  it,  using  a  stacking  operator  In  this  case 
the  capability  is  rw  t  Empty#[],  representing  a  read  and  write  capability  to  the  location  t,  which 
currently  contains  a  value  of  type  Empty#[]  as  initially  mentioned.  On  the  same  line,  we  then  open 
the  existential  by  giving  it  a  location  variable  n  and  a  regular  variable  node  to  refer  that  reference. 
From  there  on,  the  capability  (a  typing  artifact  which  has  no  actual  value)  is  automatically  un¬ 
stacked  and  moved  implicitly  as  needed  through  the  program.  For  clarity,  we  will  manually  stack 
capabilities  (such  as  on  line  4,  using  the  construct  e  \\  A  where  A  is  the  stacked  capability),  al¬ 
though  the  type  system  does  not  require  it.  On  line  3,  the  type  system  initially  carries  the  following 
assumptions: 


F  =  _  :  []  ,  node  :  ref  n  ,  n  :  loc  |  A  =  rw  n  Empty#[] 

where  F  is  the  lexical  environment  (of  persistent/pure  resources),  and  A  is  a  linear  typing  envi¬ 
ronment  that  contains  all  linear  resources  (such  as  capabilities).  Each  linear  capability  must  either 
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be  used  up  or  passed  on  through  the  program  (e.g.  by  returning  it  from  a  function).  The  contents 
of  the  reference  node  are  known  statically  by  looking  up  the  capability  for  the  location  n  to  which 
node  refers  (i.e.  “rw  n  Einpty#[]”). 

Capabilities  are  linear  (cannot  be  duplicated),  but  aliasing  in  local  contexts  is  still  possible  by 
copying  references.  All  copies  link  back  to  the  same  capability  using  the  location  contained  in 
the  reference.  However,  when  aliases  operate  in  non-local  contexts,  this  location-based  link  is 
lost.  Thus,  if  we  were  to  pack  node’s  capability  before  sharing  it,  it  would  become  unavailable 
to  other  aliases  of  that  location.  For  instance,  by  writing  (n,  node  ::  rw  n  Empty#[])  we  pack  the 
location  n  by  abstracting  it  in  an  existential  type  for  that  location.  The  packed  type  now  refers  a 
fresh  location,  unrelated  to  its  old  version.  Instead,  we  share  that  capability  (line  3)  by  splitting  it 
in  two  rely-guarantee  protocols,  H  and  T  k  Each  protocol  is  then  assigned  to  the  head  and  tail 
pointers  (lines  4  and  5,  respectively),  since  they  encode  the  specific  uses  of  each  of  those  aliases. 
The  protocols  and  sharing  mechanisms  will  be  introduced  in  Section  4. 

The  type  of  newPipe  is  a  linear  function  (-o)  that,  since  it  does  not  capture  any  enclosing  linear 
resource,  can  be  marked  as  pure  (!)  so  that  the  type  can  be  used  without  the  linear  restriction.  On 
line  6  we  pack  the  inner  state  of  the  pipe  (so  as  to  abstract  the  capability  for  t  as  P,  and  the  one  for 
h  as  C),  resulting  in  newPipe  having  the  type: 


newPipe  :  !(  []  -o  3C.3P.(  ![...]::  C  *  P  ) ) 


where  the  separate  capabilities  for  the  Consumer  and  Producer  are  stacked  together  in  a  commu¬ 
tative  group  (*).  In  this  type,  C  abstracts  the  capability  rw  h  3p.(ref  p  ::  H[p]),  and  P  abstracts 
rw  t  3p.(ref  p  ::  T[p]).  Finally,  although  we  have  not  yet  shown  the  implementation,  the  type 
of  the  elided  record  ([...])  contains  function  types  that  should  be  unsurprising  noting  that  each 
argument  and  return  type  has  the  respective  capabilities  for  the  head/tail  cells  stacked  on  top 
(similarly  to  pre/post  conditions,  but  directly  expressed  in  the  types).  Therefore,  those  functions 
are  closures  that  use  the  knowledge  about  the  reference  to  the  head/tail  pointers  from  the  sur¬ 
rounding  context,  but  do  not  capture  the  capability  to  those  cells  and  instead  require  them  to  be 
supplied  as  argument. 


!( int ::  P  ^  []  ::  P  ), 

!([]::P-^[]  ), 

!( []  ::  C  -o  NoResult#([]  ::  C)  -i-  Result#(int  ::  C)  -l-  Depleted#[]  )  ] 


[put 

close 

tryTake 


Therefore,  put  preserves  the  producer’s  capability,  but  close  destroys  it;  while  the  result  of 
tryTake  is  a  sum  type  of  either  Result  or  NoResult  depending  on  whether  the  still  open  pipe 
has  or  not  contents  available,  or  Depleted  to  signal  that  the  pipe  was  closed  (and  therefore  that 
the  capability  to  C  vanished).  Observe  that  the  state  that  the  functions  depend  on  is,  apparently, 
disjoint  although  underneath  this  layer  the  state  is  actually  shared  (but  coordinated  through  a  pro¬ 
tocol)  so  that  (benign)  interference  must  occur  for  the  pipe  to  work  properly — i.e.  it  is  fictionally 
disjoint  [9, 16, 18]. 

'As  a  brief  glimpse,  T  is  “rw  n  Empty#[]  =>  (  rw  n  Node#R  ©  rw  n  Closed#[]  );none”  which  relies  on  n 
containing  Empty#[],  ensures  n  then  contains  either  Node#R  or  Closed#[],  and  then  loses  access  to  n.  Both  and 

(and  R)  will  be  discussed  in  detail  in  Section  4. 
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3  Technical  Development 

We  now  present  the  type  system.  Some  non-essential  details  are  only  diseussed  in  [21]  sinee  they 
should  be  close  to  type-theoretic  concepts  and,  therefore,  straightforward  to  grasp.  In  fact,  the  core 
system  is  very  similar  to  that  used  in  [21]  but  with  the  addition  of  intersection  types  and  all  of  our 
sharing  constructs.  For  consistency  of  the  presentation,  we  include  all  sharing  mechanisms  here 
but  leave  their  discussion  to  Section  4. 

3.1  Syntax  and  Types 

The  (let-expanded  [25])  grammar  is  shown  in  Fig.  1.  The  main  deviations  from  standard  A- 
calculus  (besides  some  non-standard  notations)  are  the  inclusion  of  location-related  constructs, 
and  the  sharing  constructs  (share,  focus,  and  defocus).  We  reused  the  idioms  for  pairs,  recursion, 
etc.  defined  in  [21]  so  that  they  are  not  shown  here. 

We  use  a  flat  type  grammar  (Fig.  2)  where  both  capabilities  (i.e.  typing  artifacts  without  values, 
which  includes  our  rely-guarantee  protocols)  and  standard  types  (used  to  type  values)  coexist.  Our 
design  does  not  need  to  make  a  syntactic  distinction  between  the  two  kinds  since  the  type  system 
ensures  the  proper  separation  in  their  use. 

We  now  overview  the  basic  types,  leaving  the  rely  (=>)  and  guarantee  (;)  types  to  be  presented 
in  the  following  Section  together  with  the  discussion  on  sharing.  Pure  types  \A  enable  a  linear 
type  to  be  used  multiple  times.  A  ^  A'  describes  a  linear  function  of  argument  A  and  result  A'. 
The  stacking  operation  A  ::  A'  stacks  A'  (a  capability,  or  abstracted  capability)  on  top  of  A.  This 
stacking  is  not  commutative  since  it  stacks  a  single  type  on  the  right  of  Therefore,  *  enables 
multiple  types  to  be  grouped  together  that,  when  later  stacked,  allow  that  type  to  list  a  commutative 
group  of  capabilities.  Note  that  while  Aq  ::  (Ai  ::  A2)  and  Aq  ::  (A2  ::  Ai)  are  not  (necessarily) 
subtypes,  capability  commutation  is  always  possible  with  *  such  that  Aq  ::  (Ai  *  A2)  <:>  Aq  :: 
(A2  *  Ai).  Both  V  and  3  offer  the  standard  quantification,  over  location  and  type  kinds,  together 
with  the  respective  location/type  variables.  [£  :  A]  are  used  to  described  labeled  records  of  arbitrary 
length.  A  ref  p  type  is  a  reference  for  location  p  noting  that  the  contents  of  such  a  reference 
are  tracked  by  the  capability  to  that  location  and  not  immediately  stored  in  the  reference  type, 
recursive  types,  that  are  automatically  folded/unfolded  through  subtyping  rules  (see  Fig.  6  and 
(t:Subsumption)  on  Fig.  4),  are  also  supported.  Sum  types  use  the  form  tag#A  to  tag  type  A  with 
tag.  Alternatives  (©)  model  imprecision  in  the  knowledge  of  the  type  by  listing  different  possible 
states  it  may  be  in.  none  is  the  empty  capability,  while  rw  p  A  is  the  read-write  capability  to 
location  p  (a  memory  cell  currently  containing  a  value  of  type  A).  Finally,  an  A&A'  type  means 
that  the  client  can  choose  to  use  either  type  A  or  type  A'  but  not  both  simultaneously. 

3.2  Operation  Semantics 

Our  small  step  semantics  (Fig.  3)  uses  judgments  of  the  form: 

(  II  ^0 )  II  ^1 ) 
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p  6  Location  Constants  (Addresses)  t  6  Location  Variables  p  ::=  p\t 
1  6  Labels  (Tags)  £  6  Fields  x  6  Variables  X  6  Type  Variables 


p 

(address) 

X 

(variable) 

fun(A  :  A).e 

(function) 

{t)e 

(universal  location) 

{X)e 

(universal  type) 

{p,v) 

(pack  location) 

{A,v) 

(pack  type) 

{f  =  v} 

(record) 

l#v 

(tagged  value) 

V 

(value) 

V[p] 

(location  application) 

v[A] 

(type  application) 

v.f 

(field) 

V  V 

(application) 

let  A  =  e  in  e  end 

(let) 

open  {t,x)  =  v\ne  end 

(open  location) 

open  {X,x)  =  v\ne  end 

(open  type) 

new  V 

(cell  creation) 

delete  v 

(cell  deletion) 

!v 

(dereference) 

V  :=  V 

(assign) 

case  V  of  1#a  ^  e  end 

(case) 

share  Ao  as  Ai  ||  A2 

(share) 

focus  A 

(focus) 

defocus 

(defocus) 

Note:  p  is  not  source-level.  Z  for  a  possibly  empty  sequence  of  Z.  Tuples,  recursion,  etc.  are  encoded  as  idioms  [21]. 

Figure  1:  Values  (v)  and  expressions  (e). 
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!A 

(pure/persistent) 

A  ^  A 

(linear  function) 

A  ::  A 

(stacking) 

A  *  A 

(separation) 

[f  :A] 

(record) 

X 

(type  variable) 

VA.A 

(universal  type  quantification) 

3X.A 

(existential  type  quantification) 

'it.A 

(universal  location  quantification) 

3t.A 

(existential  location  quantification) 

ref  p 

(reference  type) 

rec  X.A 

(recursive  type) 

Zi  iMi 

(tagged  sum) 

A  ©A 

(alternative) 

A&A 

(intersection) 

rw  p  A 

(read-write  capability  to  p) 

none 

(empty  capability) 

A  ^  A 

(rely) 

A;A 

(guarantee) 

Note;  2/  1/#A;  denotes  a  single  tagged  type  or  a  sequence  of  tagged  types  separated  by  +,  such  as  “t#A  +  u#B  +  v#C”. 
Separation,  sum,  alternative  and  intersection  types  are  assumed  commutative,  i.e.  without  respective  subtyping  rules. 

Figure  2:  Types  and  capabilities. 

where  a  program  execution  is  given  by: 

(  0  II  e  )  (  //  II  V  ) 

which  states  that  starting  from  the  empty  heap  (0)  and  an  initial  expression  (e),  we  reach  a  final 
configuration  of  value  v  with  heap  H  (after  an  arbitrary  number  of  steps).  The  heap  (H)  binds 
addresses  (p)  to  values  (v)  using  the  following  format: 

H  ::=  0  (empty)  |  H  ,  p  ^  v  (binding) 

The  semantics  are  analogous  to  what  is  found  in  the  literature,  except  for  a  few  small  differ¬ 
ences:  the  (d:New)  and  (d:Delete)  reduction  rules,  as  in  [1],  manipulate  existential  values  that 
abstract  the  underlying  location  that  was  created  or  will  be  deleted,  in  order  for  the  type  system 
to  properly  handle  such  location  abstractions  (i.e.  for  the  value  to  match  the  given  type).  We  also 
highlight  how  sharing  related  constructs  (focus,  defocus,  and  share)  have  no  operational  meaning 
(and  thus  are  equivalent  to  no-ops). 

3.3  Type  System 

Our  typing  rules  use  typing  judgments  of  the  form:  T  |  Aq  i-  e  :  A  H  Ai  stating  that  with  lexical 
environment  T  and  linear  resources  Aq  we  assign  the  expression  e  a  type  A  and  produce  effects  that 
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( II  ^0 )  II  ^1 ) 

Dynamics,  (d:*) 

(d:New) 

p  fresh 

(diDelete) 

(  H  new  v)^{H,p^v\\  (p,p)  ) 

{H  ,  p^v\\  delete  <p,p)  ) 

^(H\\  <p,v)  ) 

(d:  Dereference) 

(d:Assign) 

<  //  ,  p  ^  V  II  !p  )  1-^  <  H  ,  p  ^  V  II  V  )  <  ,  p  ^  Vo  II  p  :=  Vi  )  1-^  <  H  ,  p  Vi  II  Vo  ) 

(d:Application)  (d:Selection) 

<  H  II  (fun(;c :  A).e)  v)^{H\\  e{v/4  )  (^H\\  {£  =  v}.£,-  )^{H\\vi) 

(d:LocApp)  (d:TypeApp) 

<//||«Oe)[p])^<//||e{pA})  {H\\({X)e)[A])^{H\\e{A/X}) 

(diLocOpen) 

<  H  II  open  {t,  x)  =  <p,  v)  in  e  end  )  <  // 1|  e{vlx}{plt] ) 

(diTypeOpen) 

<  H  II  open  {X,  x)  =  (A,  v)  in  e  end  )  <  //  ||  e{vlx}{AIX] ) 

(diCase) 

^  H  II  case  l,#v,-  of  l#x  e  end  ^  (  //  ||  e,{v,/A:,} ) 

(d:LetCong) 

_ {Ho\\eo)^{Hi  II  ei  ) _ 

<  Hq  II  let  a:  =  eo  in  e2  end  >  ||  let  jc  =  in  €2  end  ) 

(d:Let) 

<  //  II  let  a:  =  V  in  e  end  )  1-^  <  //  ||  e{v/A:} ) 

Sharing-related  constructs: 

(d:  Share) 

<  H  II  share  Aq  as  Ai  ||  A2 )  <  // 1|  {} ) 

(d:Focus)  (diDefocus) 

(  H  II  focus  A  )  ^  <  //  II  {} )  {H\\  defocus  )^{H\\{}) 

Figure  3:  Operational  semantics. 
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result  in  Ai.  The  typing  environments  are  as  follows: 


r 


r,  x  :  A 
r,  p  :  loc 
r,  X  :  type 


(empty) 

(variable  binding) 

(loeation  variable  assertion) 
(type  assertion) 


A 


(empty) 

A,  X  :  A  (linear  binding) 

A,  A  (eapability/protoeol) 

A*^,  Ao;Ai>A  (defoeus-guarantee) 


where  A*^  syntactically  restricts  A  to  not  include  a  defocus-guarantee  (a  sharing  feature,  see  Section 
4.3).  Suffices  to  note  that  this  restriction  ensures  that  defocus-guarantees  are  nested  on  the  right  of 
>  and  that,  at  each  level,  there  exists  only  one  pending  defocus-guarantee.  A*^  is  also  used  to  forbid 
capture  of  defocus-guarantees  by  functions  and  other  constructs  that  can  keep  part  of  the  linear 
typing  environment  for  themselves. 

The  typing  rules  are  shown  in  Fig.  4  and  Fig.  5,  but  sharing  related  typing  rules,  namely 
(t:Focus-Rely),  (t:Defocus-Guarantee),  (t:Share),  and  (t:Frame),  are  only  discussed  in  Section 
4.  We  now  overview  the  main  typing  rules. 

All  values  (which  includes  functions,  tagged  values,  etc.)  have  no  resulting  effect  (•)  since, 
operationally,  they  have  no  pending  computations. 

Allocating  a  new  cell,  (t:New),  results  in  a  type,  3t.(  ref  t  ::  rw  t  A  ),  that  abstracts  the  fresh 
location  that  was  created  (t),  and  includes  both  a  reference  to  that  location  and  the  capability  to 
that  location.  To  associate  a  value  (such  as  ref  t)  with  some  capability  (such  as  the  capability  to 
access  location  t),  we  use  a  stacking  operator  Naturally,  to  be  able  to  use  the  existential  location, 
we  must  first  open  that  abstraction,  (t:Loc-Open),  by  giving  it  a  location  variable  to  refer  the 
abstracted  location,  besides  the  usual  variable  to  refer  the  contents  of  the  existential  type. 

Reading  the  content  of  a  cell  can  be  either  destructive,  using  (x: Dereference-Linear),  or  not, 
by  (t:Dereference-Pure).  The  difference  resides  on  whether  its  content  is  pure  (!).  If  it  is  linear, 
then  to  preserve  linearity  we  must  leave  the  unit  type  ([])  behind  to  avoid  duplication. 

By  banging  the  type  of  a  variable  binding,  (t:Pure-Elim),  we  can  move  it  to  the  linear  context 
which  enables  the  function’s  typing  rule  to  initially  consider  all  arguments  as  linear  even  if  they 
are  pure.  Functions  can  only  capture  a  AP  linear  environment  to  ensure  that  they  will  not  hide  a 
pending  defocus-guarantee  (and  similarly  on  V  abstractions),  since  our  types  do  not  express  such 
pending  operation. 

Stacking,  done  through  (t:Cap-Elim),  (t:Cap-Stack)  and  (t:Cap-Unstack)  enables  the  type  sys¬ 
tem  to  manage  capabilities  in  a  non-syntax  directed  way,  since  they  have  no  value  nor  associated 
identifier. 

The  (t:Case)  rule  allows  the  set  of  tags  of  the  value  that  is  to  be  case  analyzed  (v)  to  be  smaller 
than  those  listed  in  the  branches  of  the  case  (i  <  j).  This  conditions  is  safe  because  it  amounts  to 
ignoring  the  effects  of  those  branches,  instead  of  being  overly  conservative  and  having  to  consider 
them  all.  These  branches  are  not  necessarily  useless  since,  for  instance,  they  may  still  be  relevant 
on  alternative  program  states  (©). 

(t:Alternative-Eeft)  expresses  that  if  an  expression  types  with  both  assumptions,  Aq  and  Ai, 
then  it  works  with  both  alternatives,  (x: Intersection-Right)  is  similar  but  on  the  resulting  effect  of 
that  expression. 

Einally,  (t:Subsumption)  enables  expressions  to  rely  on  weaker  assumptions  while  ensuring  a 
stronger  result  than  needed,  through  the  use  of  subtyping  rules. 
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r  I  Aq  \-  e  a  a  ls.\ 


Typing  rules,  (x:*) 


(t:Ref) 


(tiPure) 

r|-hv:AH- 


(t:Unit) 


(t:  Pure-Read) 


r,p  :  loc  I  •  h  p  :  ref  pH-  r|-i-v:!AH-  r|-i-v:[]H-  Y,x  :  A  \  ■  \-  x  :\A  A 


(t:Pure-Elim) 

(t:Linear-Read)  Y,x  :  Ao\  e  :  A,  A  A, 

r|jc’Al-jc’AH-  r|  Aq,  X  ’  IAq  h  6  ’  Ai  A  Aj 


(t:  Subsumption) 

Aq  <:  Ai  r  I  Ai  h  e  :  Aq  h  A2 
Aq  <:  Ai  A2  <:  A3 

r  I  Aq  h  e  :  Ai  H  A3 


(t:New) 


r  I  Aq  h  V  :  A  H  Ai 


r  I  Aq  h  new  V  :  3E(ref  ? rw  ?  A)  h  Ai 


(t:  Delete) 

r  I  Aq  h  V  :  3E(ref  t ::  rw  t  A)  A  Ai 
r  I  Aq  h  delete  v  :  3tA  a  Ai 


(t:Assign) 

r  I  Aq  h  Vi  :  Aq  H  Ai 
r  I  Ai  h  vq  :  ref  p  A  A2,  rw  p  Ai 

r  I  Aq  h  vq  :=  vi  :  Ai  H  A2,  rw  p  Aq 


(t:  Record) 

r|Ahv:AH- 
r  I  A  h  {£  =  v}  :  [JTA]  h 


(t:  Selection) 
r  I  Aq  h  V  :  [f  :  A]  H  Ai 
r  I  Aq  h  v.f,'  :  Ai  A  A[ 


(t:Function) 

r  I  A^,  ;c :  Aq  h  e  :  Ai  H  • 
r  I  A*^  h  fun(;c :  Ao).e  :  Aq -o  Ai  A 


(t:  Application) 

r  I  Aq  h  Vq  ’  Aq  — o  Aj  A  Aj  Y  \  Aj  h  Vi  ’  Aq  A  A2 
r  I  Aq  h  Vq  Vi  :  Aj  H  A2 


(tiLet)  (t:Loc-App) 

r  I  Aq  h  eo  •  ^0  ^  Ai  (t:Forall-Loc)  p  :  loc  6  Y 

r  I  Aj,  X  ’  Aq  h  £i  ;  A[  H  A2  r,  t  ’  loc  I  A^  h  c  ’  A  H  •  r  I  Aq  h  V  '  ^t.A  H  Aj 

r  I  Aq  h  let  a:  =  cq  in  ci  end  :  Ai  h  A2  F  |  A*^  h  (?)  c  :  VfA  h  •  F  |  Aq  h  v[p]  :  A{plt}  a  Ai 

(t:Dereference-Finear)  (t:Dereference-Pure) 

F  I  Aq  h  V  :  ref  p  H  Ai, rw  p  A  F  |  Aq  h  v  :  ref  p  H  Ai, rw  p  !A 

F  I  Aq  h  !v  :  A  H  Ai,rw  p  []  F  |  Aq  h  !v  :  !A  H  Ai,rw  p  !A 

(t:Foc-Open) 

F  I  Aq  h  V  :  3pAq  a  Ai  (t:Foc-Pack) 

F,  t :  loc  I  Ai,  a:  :  Aq  h  c  :  Ai  h  A2  F  |  A  h  v  :  A{plt]  A  • 

F  I  Aq  h  open  a:)  =  v  in  c  end  :  Ai  h  A2  F  |  A  h  <p,  v) :  3t.A  a  ■ 

Note:  all  bounded  variables  of  a  construct  must  be  fresh  in  the  respective  rule’s  conclusion. 

Figure  4:  Static  semantics  (continues  on  next  page). 
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(t:  Alternative-Left) 

r  I  Aq,  Aq  h  e  :  A2  h  Ai 

r  I  Ao,Ai  h  c  A2  H  Aj 


(t:  Intersection-Right) 
r  I  Aq  I-  e  :  Aq  H  Ai,Ai 
r  I  Ao  I-  e  :  Aq  H  Ai, A2 


r  I  Aq,Ao  © Aj  h  £ A2  H  Aj  r  I  Aq  i-  s  ’  Aq  h  Aj,Aj&A2 


(t:Forall-Type) 

r,  X  :  type  |  A*^  h  e  :  A  H 

r\A^  \-  {X)e:  VXA  H  • 


(t:Type-App) 

r  h  Ai  type 
r  I  Aq  1“  V  *  h 


(t:Type-Pack) 
r|  A  h  V  :  AolAJX}  H 


r  I  Ao  h  v[Ai]  :  Ao{Ai/X}  H  Ai  L  |  A  h  <Ai,  v)  :  3XAo  H 


(t:Type-Open) 

r  I  Aq  i-  V  ’  3^.Ao  H  Aj 
Y,X  :  type  |  Ai,  a:  :  Aq  1-  e  :  Ai  H  A2 

r  I  Ao  I-  open  {X,  a:)  =  v  in  e  end  :  Ai  h  A 

(t:Cap-Stack) 
r  I  Aq  I-  e  :  Aq  H  Ai,Ai 

r  I  Aq  I-  e  :  Aq  ::  Ai  H  Ai 

(t:Case) 


(t:Cap-Elim) 

r  I  Ao,  X  :  Ao,  Ai  h  e  :  A2  H  Ai 
■2  r  I  Ao,  a:  :  Aq  ::  Ai  h  e  :  A2  H  Ai 

(t:Cap-Unstack) 
r  I  Ao  I-  e  :  Ao  ::  Ai  -I  Aj 


(t:Tag) 

r  I  A  h  V  :  A  H  • 

^  I  A  h  l#v  :  1#A  H  • 
Sharing-related  typing  rules: 

(tiFrame) 

r  I  Ao  I-  e  :  A  -I  Ai 
r  I  Ao  A2  A  Aj  ®—  A2 
(t:Focus-Rely) 

Ao  e  A 


r  I  Aq  I-  e  :  Aq  H  Ai,Ai 
r  I  Ao  h  V  :  Z,-  h#Ai  H  Ai 


r  I  Ai,a:,' :  A;  h  e,' :  A  H  A2  i<j 


r  I  Ao  h  case  v  of  ^  e,  end  :  A  h  A 


(tiShare) 


Ao  ^  Ai  II  A2 


r  I  A,Ao  I-  share  Ao  as  Ai  ||  A2  :  []  h  A,  Ai,  A2 
(t:  Defocus-Guarantee) 


r  I  Ao  =>  Ai  h  focus  A  :  []  -I  Ao,  Ai  >  •  T  |  Aq,  Aq,  Ao;  Ai  >  Aj  h  defocus  :  []  -1  Ao,  Aj,  Aj 
Note:  all  bounded  variables  of  a  construct  must  be  fresh  in  the  respective  rule’s  conclusion. 

Figure  5:  Static  semantics  (continued). 
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Sub  typing  on  types,  (st:*) 


Aq  <:  Ai 


(st:Symmetry) 

(stiToLinear) 

(st:Pure) 

Ao  <:  Ai 

(st:Ref) 

A  <:  A 

(st:  Function) 

Ai  <:  A3  A2  <:  Ao 

!A  <:  A 

(st:Loc-Exists) 
Aq  <:  Ai 

!Ao  <:  !Ai  !A  <: ![]  ref  p  <:  !(ref  p) 

(st:Loc-Forall)  (st:Type-Exists)  (st:Type-Eorall) 

Ao  <:  Ai  Ao  <:  Ai  Aq  <:  Ai 

Aq  — 0  Aj  A2  — 0  A3 

3t.Ao  <:  3t.Ai 

Vt.Ao  <:  Vt.Ai  3XAo  < 

::  3XAi  VXAq  <:  VXAi 

(st:Record) 

(st:  Discard) 

A,  <:  a; 

i  >  0 

(st:PurifyRec) 

[f  :  A  ,  f,  :  A,]  <:  [£ 

Ta,  £,  :a;] 

[£  :  A  ,  £,  :  A,]  <:  [£  :  A] 

[£  :  !A]  <:  ![£  :  !A] 

(st:  Stack) 

(stiCap) 

(st:Cong) 

Aq  <:  Ai  A2  <:  A3 

V 

0 

(st:Com) 

Ai  <:  A2 

Aq  "  A2  <:  Ai  ::  A3 

rwpAo  <: 

rw  pAi  Ao  *  Ai  <:  Ai 

*  Ao  Ao  *  Aj  <:  Ao  *  A2 

(st:Assoc) 

(st:  Unfold) 

(st:Fold) 

(Ai  *  A2)  *  A3  <:  Ai  *  (A2  *  A3)  rec  XA  <:  A{rec  X.A/X] 

A{X/rec  X.A]  <:  rec  X.A 

(stiRec) 

Ao  <:  Ai 

(st:Sum) 

(st:  Alternative)  (st:Intersection) 

rec  X.Aq  <:  rec  X.A\ 

2,-  IMi  <:  r#A'  +  2;  IMi  Ao  <:  A 

o©Ai  Ao&Ai  <:  Aq 

Figure  6:  Subtyping  on  types. 

3.4  Subtyping 

We  support  subtyping  both  on  types  (Fig.  6)  and  subtyping  on  the  eontents  of  the  linear  typing 
environment  (Fig.  7).  Our  subtyping  rules  follow  the  form  Ao  <:  Ai  stating  that  Ao  is  a  subtype  of 
Ai,  meaning  that  Aq  ean  be  used  wherever  Ai  is  expeeted.  Similar  meaning  is  used  for  subtyping 
on  linear  typing  environments,  Aq  <:  Ai. 

Among  other  operations,  these  rules  enable  automatie  fold/unfold  of  reeursive  types  through 
the  use  of  (st:Fold)  and  (st:Unfold),  as  well  as  grouping  (*)  of  resourees  with  (st:Star).  Note 
how  with  (st:Alternative)  we  ean  weaken  a  type  to  eonsider  additional  alternatives,  and  with 
(stAntersection)  we  ean  piek  one  of  the  types  of  that  interseetion  types  thus  ehoosing  whieh  one 
to  use.  (st:Discard)  allows  a  reeord  to  beeome  shorter,  ignoring  some  of  its  fields,  provided  that  at 
least  one  remains  so  that  any  resourees  that  may  be  kept  in  that  reeord  are  not  aeeidentally  lost. 
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Subtyping  on  deltas,  (so:*) 


A()  <:  Ai 


(sd:Star) 


A,Ao,Ai  <:>  A,Ao  *  Ai 
(sd:  Symmetry)  (sdiNone) 


(sd:Var) 

Aq  <:  Ai  Aq  <:  Ai 
Ao,  a:  :  Aq  <:  Ai,  jc :  Ai 

( SD :  Alternative-L) 

<•  Ao,Ai  <:  Ai 

Aq,  Aq  ©  Ai  <:  Aj 


(sd:Type) 

Aq  <:  Ai  Aq  <:  Ai 

Ao,Ao  <:  Ai,Ai 

( SD :  Intersection-  R) 

Aq  <:  Ai,Ai  Aq  <:  Ai,A2 

Aq  Ai,Aj&A2 


A  <:  A  A  <:>  A,  none 

Figure  7:  Sub  typing  Environments. 


4  Sharing  Mutable  State 

The  goal  is  to  enable  reads  and  writes  to  a  eell  through  multiple  aliases,  without  requiring  the  type 
system  to  preeisely  traek  the  link  between  aliased  variables.  In  other  words,  the  type  system  is 
aware  that  a  variable  is  aliased,  but  does  not  know  exaetly  whieh  other  variables  alias  that  same 
state.  In  this  seenario,  it  is  no  longer  possible  to  implieitly  move  eapabilities  between  aliases. 
Instead,  we  split  the  original  eapability  into  multiple  protocol  eapabilities  to  that  same  loeation, 
and  ensure  that  these  multiple  protoeols  eannot  interaet  in  ways  that  destruetively  interfere  with 
eaeh  other.  Sueh  rely-guarantee  protoeol  aeeounts  for  the  effeets  of  other  protoeols  (the  rely),  and 
limits  the  aetions  of  this  protoeol  to  guarantee  that  they  do  not  eontradiet  the  assumptions  relied 
on  by  other  aliases.  This  allows  independent,  but  eonstrained,  aetions  on  the  different  protoeols 
to  the  same  shared  state  without  destruetive  interferenee.  However,  it  also  requires  us  to  leverage 
additional  type  meehanisms  to  ensure  safety,  namely: 

(a)  Hide  intermediate  states.  A  rely-guarantee  protoeol  restriets  how  aliases  ean  use  the 
shared  state.  However,  we  allow  sueh  speeifioation  to  be  temporarily  broken  provided  that  all 
unexpeeted  ehanges  are  private,  invisible  to  other  aliases.  Therefore,  the  type  system  ensures  a  kind 
of  statie  mutual  exelusion,  a  meehanism  that  provides  a  “eritieal  seetion”  with  the  desired  level  of 
isolation  from  other  aliases  to  that  same  state.  Consequently,  other  shared  state  that  may  overlap 
with  the  one  being  inspeeted  simply  beeomes  unavailable  while  that  eell  is  undergoing  private 
ehanges.  Although  this  solution  is  neeessarily  eonservative,  we  avoid  any  run-time  overhead  while 
preserving  many  relevant  usages.  To  aehieve  this,  we  build  on  the  eoneept  of  focus  [11]  (in  a  non- 
lexieally  seoped  style,  so  that  there  is  also  a  defocus)  clearly  delimiting  the  boundary  in  the  code  of 
where  shared  state  is  being  inspected.  Thus,  on  focus,  all  other  types  that  may  directly  or  indirectly 
see  inconsistencies  must  be  temporarily  concealed  only  to  reappear  when  those  inconsistencies 
have  been  fixed,  on  defocus. 

(b)  Ensure  that  each  individual  step  of  the  protocol  is  obeyed.  In  our  system,  sharing  prop¬ 
erties  are  encoded  in  a  protocol  composed  of  several  rely-guarantee  steps.  As  discussed  in  the 
previous  paragraph,  each  step  must  be  guarded  by  focus  since  private  states  should  not  be  visible 
to  other  aliases.  Consequently,  the  focus  construct  serves  not  only  to  safeguard  from  interference 
by  other  aliases,  but  also  to  move  the  protocol  forward  through  each  of  its  individual  steps.  At  each 
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such  step,  the  code  can  assume  on  entry  (focus)  that  the  shared  state  will  be  in  a  given  well-defined 
rely  state,  and  must  ensure  on  exit  (defocus)  that  the  shared  state  satisfies  a  given  well-defined 
guarantee  state.  By  characterizing  the  sequence  of  actions  of  each  alias  with  an  appropriate  proto¬ 
col,  one  can  make  strong  local  assumptions  about  how  the  shared  state  is  used  without  any  explicit 
dependence  on  how  accesses  to  other  aliases  of  that  shared  state  are  interleaved.  This  feature  is  cru¬ 
cial  since  we  cannot  know  precisely  if  that  same  shared  state  was  used  between  two  focus-defocus 
operations. 

4.1  Specifying  Rely-Guarantee  Protocols 

We  now  detail  our  rely  and  guarantee  types  that  are  the  building  blocks  of  our  protocols.  To  clarify 
the  type  structure  of  our  protocols,  we  define  the  following  sub-grammar  of  our  types  syntax  (Fig. 
2)  with  the  types  that  may  appear  in  a  protocol,  P. 

P  ::=  recX.P  \  X  \  P®P  \  P  &P  \  P  \  A;  P  \  none 

A  rely-guarantee  protocol  is  a  type  of  capability  (i.e.  has  no  value)  consisting  of  potentially 
many  steps,  each  of  the  form  Ac  Ap.  Each  such  step  states  that  it  is  safe  for  the  current  client 
to  assume  that  the  shared  state  satisfies  Ac  and  is  required  to  obey  the  guarantee  Ap,  usually  of  the 
form  Ap  which  in  turn  requires  the  client  to  establish  (guarantee)  that  the  shared  state  satisfies 
A^  before  allowing  the  protocol  to  continue  to  be  used  as  Ap.  Note  that  our  design  constrains 
the  syntactical  structure  of  these  protocols  through  protocol  conformance  (Section  4.2),  not  in  the 
grammar. 

Pipe’s  protocols  We  can  now  define  the  protocols  for  the  shared  list  nodes  of  the  pipe’s  buffer. 
Each  node  follows  a  rely-guarantee  protocol  that  includes  three  possible  tagged  states:  Node,  which 
indicates  that  a  list  cell  contains  some  useful  data;  Empty,  which  indicates  that  the  node  will 
be  filled  with  data  by  the  producer  (but  does  not  yet  have  any  data);  and  finally  Closed,  which 
indicates  that  the  producer  has  sent  all  data  through  the  pipe  and  no  more  data  will  be  added  (thus, 
it  is  the  last  node  of  the  list). 

Remember  that  the  producer  component  of  the  pipe  has  an  alias  to  the  tail  node  of  the  internal 
list.  Because  it  is  the  producer,  it  can  rely  on  that  shared  node  still  being  Empty  (as  created)  since 
the  consumer  component  will  never  be  allowed  to  change  that  state.  The  rely-guarantee  protocol 
for  the  tail  alias  (for  some  location  p)  is  as  follows: 

rw  p  Empty#[]  =>  (  rw  p  Node#R  ©  rw  p  Closed#[] );  none 

This  protocol  expresses  that  the  client  code  can  safely  assume  (on  focus)  a  capability  stating  that 
location  p  initially  holds  type  Empty#[].  It  then  requires  the  code  that  uses  such  state  to  leave  it 
(on  defocus)  in  one  of  two  possible  alternatives  (©)  depending  on  whether  the  producer  chooses 
to  close  the  pipe  or  insert  a  new  element  to  the  buffer.  To  signal  that  the  node  is  the  last  element 
of  the  pipe,  the  producer  can  just  assign  it  a  value  of  type  Closed#[].  Insertions  are  slightly  more 
complicated  because  that  action  implies  that  the  tail  element  of  the  list  will  be  changed.  Therefore, 
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after  creating  the  new  node,  the  producer  component  will  keep  an  alias  of  the  new  tail  for  itself 
while  leaving  the  old  tail  with  a  type  that  is  to  be  used  by  the  consumer.  In  this  case,  the  node  is 
assigned  a  value  of  type  Node#R,  where  R  denotes  the  type  [  int ,  3p.{  ref  p  ::  H[p]  )  ]  (a  pair 
of  an  integer  and  a  reference  to  the  next  shared  node  of  the  buffer,  as  seen  from  the  head  pointer). 
Regardless  of  its  action,  the  producer  then  forfeits  any  ownership  of  that  state  which  is  modeled  by 
the  empty  capability  (none)^  to  signal  protocol  termination. 

We  now  present  the  abbreviations  H  and  T,  the  rely-guarantee  protocols  that  govern  the  use  of 
the  shared  state  of  the  pipe  as  seen  by  the  head  and  tail  aliases,  respectively.  Note  that  since  we 
intend  to  apply  the  same  protocol  over  different  locations,  we  use  “2  =  'ip. A”  as  a  type  definition 
(2)  where  we  can  apply  a  location  without  requiring  V  to  be  a  value,  such  as  location  q  in  Q[q\. 
The  T  and  H  types  are  defined  as  follows: 

T  ^  Vp.(E^(N  ©  C)) 

H  ^  Vp.(  rec  X.(  N  ^  none  ©  C  ^  none  ©  E^E;X)) 

where  N  is  an  abbreviation  for  a  capability  that  contains  a  node  “rw  p  Node#R”,  C  is  “rw  p  Closed#[]” 
and  E  is  “rw  p  Empty#[]”.  The  T  type  was  presented  in  the  paragraph  above,  so  we  can  now  look 
in  more  detail  to  H.  Such  a  protocol  contains  three  alternatives,  each  with  a  different  action  on  the 
state.  If  the  state  is  found  with  an  E  type  (i.e.  still  Empty)  the  consumer  is  not  to  modify  such 
state  (i.e.,  just  reestablish  E),  and  can  retry  again  later  to  check  if  changes  occurred.  Observe  that 
the  remaining  two  alternatives  have  a  none  guarantee.  This  models  the  recovery  of  ownership  of 
that  particular  node.  Since  the  client  is  not  required  to  reestablish  the  capability  it  relied  on,  that 
capability  can  remain  available  in  that  context  even  after  defocus. 

Each  protocol  describes  a  partial  view  of  the  complete  use  of  the  shared  state.  Consequently, 
ensuring  their  safety  cannot  be  done  alone.  In  our  system,  protocols  are  introduced  explicitly 
through  the  share  construct  that  declares  that  a  type  (in  practice  limited  to  capabilities,  including 
protocols)  is  to  be  split  in  two  new  rely-guarantee  protocols.  Safety  is  checked  by  simulating  their 
actions  in  order  to  ensure  that  they  preserve  the  overall  consistency  in  the  use  of  the  shared  state, 
no  matter  how  their  actions  may  be  interleaved.  Since  a  rely-guarantee  protocol  can  subsequently 
continue  to  be  split,  this  technique  does  not  limit  the  number  of  aliases  provided  that  the  protocols 
conform. 

4.2  Checking  Protocol  Splitting 

The  key  principle  of  ensuring  a  correct  protocol  split  is  to  verify  that  both  protocols  consider  all 
visible  states  that  are  reachable  by  stepping,  ensuring  a  form  of  progress.  Protocols  are  not  required 
to  always  terminate  and  may  be  used  indefinitely,  for  instance  when  modeling  invariant-based 
sharing.  However,  regardless  of  interleaving  or  of  how  many  times  a  shared  alias  is  (consecutively) 
used,  no  unexpected  state  can  ever  appear  in  well-formed  protocols.  Thus,  the  type  information 
contained  in  a  protocol  is  valid  regardless  of  all  interference  that  may  occur,  i.e.  it  is  stable  [17,31]. 

Technically,  the  correctness  of  protocol  splitting  is  ensured  by  two  key  components:  1)  a  step¬ 
ping  relation,  that  simulates  a  single  use  of  the  shared  state  through  one  focus-defocus  block;  and 

^We  frequently  omit  the  trailing  none”  for  conciseness. 
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{A,P)^{A',P') 


Step,  (step:*) 


(step:None)  (stepiStep) 

(A,  none)  ^  (A,  none)  <Ao,Ao  ^  Ai;P)  ^  <Ai,P) 

(step:Alternative-P)  (step:Alternative-S) 

(Ao,Po)^(Ai,P2)  (Ao,Po)  ^  (A2,Pi)  (Ai,Po)  ^  (A2,Pi) 

(^05-^0  ®  Pi)  {Ai,P2)  {Aq  ©  Ai,  Pq)  ^  {A2,P l) 

(step:  Subsumption) 

Aq  <:  Ai  Pq  <:  Pi  {Ai,Pi)  {A2,P2)  A2  <:  A3  P2  <:  P^ 

{Ao,Po)^{A3,P3) 

Figure  8:  Protocol  stepping  rules. 

2)  a  protocol  conformance  definition,  that  ensures  full  coverage  of  all  reachable  states  by  consid¬ 
ering  all  possible  interleaved  uses  of  those  steps.  Thus,  even  as  the  rely  and  guarantee  conditions 
evolve  through  the  protocol’s  lifetime,  protocol  conformance  ensures  each  protocol  will  never  get 
“stuck”  because  the  protocol  must  be  aware  of  all  possible  “alias  interleaving”  that  may  occur  for 
that  state. 

The  stepping  relation  (Fig.  8)  uses  steps  of  the  form  (A,  P)  (A',  P')  expressing  that,  assum¬ 
ing  shared  state  A,  the  protocol  P  can  take  a  step  to  shared  state  A'  with  residual  protocol  P' .  Due 
to  the  use  of  ©  and  &  types  in  the  protocols,  there  may  be  multiple  different  steps  that  may  be 
valid  at  a  given  point  in  that  protocol.  Therefore,  protocol  conformance  must  account  for  all  those 
different  transitions  that  may  be  picked. 

We  define  protocol  conformance  as  splitting  an  existing  protocol  (or  capability)  in  two,  al¬ 
though  it  can  also  be  interpreted  as  merging  two  protocols.  Regardless  of  the  direction,  the  actions 
of  the  original  protocol(s)  must  be  fully  contained  in  the  resulting  protocol(s).  This  leads  to  the 
three  stepping  conditions  of  the  definition  below. 

Definition  1  (Protocol  Conformance).  Given  an  initial  state  Aq  and  a  protocol  yo,  such  protocol 
can  be  split  in  two  new  protocols  ao  and  fio  if  their  combined  actions  conform  with  those  of  the 
original  protocol  Jq,  noted  (Aq  ,  yo  ^  II  /5o)-  This  means  that  there  is  a  set  S  of  configurations 
(A  ,  y  ^  a  Wfi)  closed  under  the  conditions: 

1.  The  initial  configuration  is  in  S:  (Aq  ,  jq  ^  qq  ||  fif)  6  S 

2.  All  configurations  take  a  step,  and  the  result  is  also  in  S. 

Therefore,  if  (A  ,  y  ^  or  ||  jS)  6  then: 

(a)  exists  A',  a'  such  that  (A,  a)  (A',  a'),  and  for  all  A',  or',  (A,  a)  (A',  a') 
implies  (A,y)  ^  {A',y)  and  (A'  ,  y'  or'  ||  /3)  6  ,S. 

(b)  exists  A',  13'  such  that  (A,/3)  ^  {A',/3'),  and  for  all  A',/?',  {A,/3)  {A',/3') 

implies  (A,y)  ^  (A',y')  and  (A'  ,  y'  or  ||yS')  e  S. 
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(c)  exists  A',  y'  such  that  {A,  y)  {A' ,  y'),  and 
for  all  A',  y ,  {A,  y)  (A',  y’)  implies  either: 

•  (A,  a)  (A',  a')  and  (A'  ,  y'  ^  a'  ||  j8)  e  S,  or; 

•  (A,j8)  ^  (A',j3')  and  <A' ,  y'  ^  or  ||  j8')  e  S. 

The  definition  yields  that  all  configurations  must  step  (i.e.  never  get  stuck)  and  that  a  step  in 
one  of  the  protocols  (or  or  j3)  must  also  step  the  original  protocol  (y)  such  that  the  result  itself 
still  conforms.  Conformance  ensures  that  all  interleavings  are  coherent.  This  also  means  that 
each  protocol  “view”  of  the  shared  state  can  work  independently  in  a  safe  way  —  even  when  the 
other  aliases  to  that  shared  state  are  never  used.  Ownership  recovery  does  not  require  any  special 
treatment  since  it  just  expresses  that  the  focused  capability  is  not  returned  back  to  the  protocol, 
enabling  it  to  remain  in  the  local  context. 

We  now  apply  protocol  conformance  to  our  running  example,  as  follows: 

A  :  E 

y  :  rtcX.{E  ^  E\X  &.  {E  ^  N  ®C  {N  ^  none  ©  C  ^  none ) ) ) 
a  \  E  ^  N  ®C  (Tail  protocol) 

P  ;  rtcX.{E  ^  E-,X  ©  ^  none  ©  C^none)  (Head protocol) 

Therefore,  applying  the  definition  yields  the  following  set  of  configurations,  S\ 

(E  ,  rec  X.{  E  ^  E;  X  &  { E  ^  N  ®  C;  { N  ^  none  ©  C  ^  none  ) ) )  ^ 

E  ^  C  II  rec  X.{  E  ^  E-,X  ®  N  ^  none  ©  C  ^  none ))  (1) 

The  initiaf  configuration. 

by  step  on  y  (subtyping  for  &)  with  E  ^  E-,X  and  same  with  /3,  using  (step:Alternative-P). 
(A  ©  C  ,  N  ^  none  ©  C  ^  none  ^ 

none  ||  rec  X.{E  ^  E;X®N  ^  none  ©  C  ^  none  )>  (2) 

by  step  on  (1)  with  y  (subtyping  for  &)  with  ^  A  ©  C; ...  and  simiiariy  using  a. 
(none  ,  none  ^  none  ||  none)  (3) 

by  step  on  (2)  with  y  and  /3  using  (step:Alternative-S). 
S  is  ciosed  (up  to  subtyping,  inciuding  unfoiding  of  recursive  types). 

Regardless  of  how  the  use  of  the  state  is  interleaved  at  run-time,  the  shared  state  cannot  reach 
an  unexpected  (by  the  protocols)  state.  Thus,  conformance  ensures  the  stability  of  the  type  infor¬ 
mation  contained  in  a  protocol  in  the  face  of  all  possible  “alias  interleaving”.  There  exists  only 
a  finite  number  of  possible  (relevant)  states,  meaning  that  it  suffices  for  protocol  conformance  to 
consider  the  smallest  set  of  configurations  that  obeys  the  conditions  above.  Since  there  is  also  a 
finite  number  of  possible  interleavings  resulting  from  mixing  the  steps  of  the  two  protocols,  there 
are  also  a  finite  number  of  distinct  (relevant)  steps.  Effectively,  protocol  conformance  resembles 
a  form  of  bisimulation  or  model  checking  (where  each  protocol  is  modeled  using  a  graph)  with  a 
finite  number  of  states,  ensuring  such  process  remains  tractable. 

In  the  following  text  we  use  a  simplified  notation,  of  the  form  A  ^  A'  ||  A",  as  an  idiom 
(defined  in  Appendix  A)  that  applies  protocol  conformance  uniformly  regardless  of  whether  A  is 
a  state  (for  an  initial  split)  or  a  rely-guarantee  protocol  (to  be  re-split  and  perhaps  extended).  The 
missing  type  is  inferred  by  this  idiom. 
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Example  We  illustrate  these  eoneepts  by  going  baek  to  the  pipe’s  protoeols.  We  introdueed  the 
protoeols  for  the  head  and  tail  aliases  through  the  share  eonstruet: 

3  share  (rw  n  Empty# [])  as  H[n]  | |  T[n]; 
whieh  is  eheeked  by  the  (t:Share)  typing  rule,  using  protoeol  eonformanee,  as  follows: 

^0  ^  II  ^2 

- (t:  Share) 

r  I  A,Ao  I-  share  Ao  asAi  ||  A2 :  []  h  A,Ai,A2 

With  it  we  share  a  eapability  (Aq)  by  splitting  it  in  two  protoeols  (Ai  and  A2)  whose  individual 
roles  in  the  interaetions  with  that  state  eonform  (^).  Consequently,  the  eonelusion  states  that,  if 
the  splitting  is  eorreet,  then  in  some  linear  typing  environment  initially  eonsisting  of  a  type  Aq  and 
A,  the  share  eonstruet  produees  effeets  that  replaee  Aq  with  Ai  and  A2  but  leave  A  unmodified  (i.e. 
it  is  just  threaded  through). 

The  next  examples  show  eonformanee  in  a  simplified  way,  with  only  the  state  and  the  two 
resulting  protoeols  of  a  eonfiguration.  Remember  that  E  is  the  abbreviation  for  rw  q  Empty#[] 
that,  just  like  the  abbreviations  C  and  N,  were  defined  above.  Thus,  the  use  of  the  share  eonstruet 


on  line  3  yields  the  following  set  of  eonfigurations,  S\ 

<E  ^  rec  X.{  N  ^  none  ©  C  ^  none  ©  E  ^  E  ;  A )  ||  E  ^  (  N  ©  C  )>  (1) 

<N  ©  C  ^  rec  A.(  N  ^  none  ©  C  ^  none  ©  E  ^  E  ;  A )  ||  none)  (2) 

(none  ^  none  ||  none)  (3) 

The  definition  is  only  respeeted  if  E  is  the  state  to  be  shared  by  the  protoeols.  If  instead  we  had 
shared,  for  instanee,  C  we  would  get  the  next  set  of  eonfigurations: 

<C  ^  rec  A.(  N  ^  none  ©  C  ^  none  ©  E  ^  E  ;  A )  ||  E  ^  (  N  ©  C  ))  (1) 

(none  ^  none  ||  E  ^  (  N  ©  C ))  (2) 


The  set  above  does  not  satisfy  our  eonformanee  definition.  Both  the  state  in  eonfiguration  (1) 
and  none  in  (2)  are  not  expeeted  by  the  right  protoeol.  Thus,  those  eonfigurations  are  “stuek”  and 
eannot  take  a  step.  Although  splittings  are  eheeked  from  a  high-level  and  abstraeted  perspeetive, 
their  eonsequenees  link  baek  to  eonerete  invalid  program  states  that  eould  oeeur  if  sueh  invalid 
splittings  were  allowed.  For  instanee,  in  (2),  it  would  imply  that  the  alias  that  used  the  right  proto¬ 
eol  would  assume  E  on  focus  long  after  the  ownership  of  that  state  was  reeovered  by  some  other 
alias  of  that  eell.  Consequently,  sueh  behavior  eould  allow  unexpeeted  ehanges  to  be  observed  by 
that  alias,  potentially  resulting  in  a  program  stuek  on  some  unexpeeted  value. 

4.3  Using  Shared  State 

Using  shared  state  is  eentered  on  two  eonstruets:  focus  (that  exposes  the  shared  state  of  a  protoeol) 
and  defocus  (that  returns  the  exposed  state  to  the  protoeol),  eombined  with  our  version  of  the 
frame  rule  (Seetion  4.4).  We  now  deseribe  how  focus  is  checked: 

Ao  6  A 

- ^ -  (t:Focus-Rely) 

F  I  Ao  =>  Ai  h  focus  A  :  []  H  Ao,  Ai  >  • 
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In  general,  focus  may  be  applied  over  a  disjunetion  (©)  of  program  states  and  expeeted  to  work  on 
any  of  those  alternatives.  By  using  A,  the  programmer  ean  list  the  types  that  may  beeome  available 
after  focus,  nominating  what  they  expeet  to  gain  by  focus. 

focus  results  in  a  typing  environment  where  the  step  of  the  protoeol  that  was  foeused  on 
(Aq  =>  Ai)  now  has  its  rely  type  (Aq)  available  to  use.  However,  it  is  not  enough  to  just  make 
that  eapability  available,  we  must  also  hide  all  other  linear  resourees  that  may  use  that  same  shared 
state  (direetly  or  indireetly)  in  order  to  avoid  interferenee  due  to  the  inspeetion  of  private  states.  To 
express  this  form  of  hiding,  the  linear  typing  environments  may  inelude  a  defocus- guarantee.  This 
element,  written  as  A  >  A,  means  that  we  are  hiding  the  typing  environment  A  until  A  is  satisfied. 
Therefore,  in  our  system,  the  only  meaningful  type  for  A  is  a  guarantee  type  of  the  form  A';  A" 
that  is  satisfied  when  A'  is  offered  and  enables  the  protoeol  to  eontinue  to  be  use  as  A".  Although 
the  typing  rule  shown  above  only  ineludes  a  single  element  in  the  initial  typing  environment  (and, 
eonsequently,  the  defoeus-guarantee  eontains  the  empty  typing  environment,  ■),  this  is  not  a  limi¬ 
tation.  In  faet,  the  full  potential  of  (t:Focus-Rely)  is  only  realized  when  eombined  with  (t:Frame). 
Together  they  allow  for  the  non-lexieally  seoped  framing  of  potentially  shared  state,  where  the 
addition  of  resourees  that  may  eonfliet  with  foeused  state  will  be  automatieally  nested  inside  the 
defoeus-guarantee  (>).  Operationally  share,  focus,  and  defocus  are  no-ops  whieh  results  in  those 
expressions  having  type  unit  ([]). 

- (t:Defocus-Guarantee) 

F  I  Ao,  A',  A';  A"  >  Ai  h  defocus  :  []  H  Aq,  A",  Ai 

The  eomplementary  operation,  defocus,  simply  eheeks  that  the  required  guarantee  type  (A')  is 
present.  In  that  situation,  the  typing  environment  (Ai)  that  was  hidden  on  the  right  of  >  ean  now 
safely  be  made  available  onee  again.  At  the  same  time,  the  step  of  the  protoeol  is  eoneluded  leaving 
the  remainder  protoeol  (A")  in  the  typing  environment.  Nesting  of  defoeus-guarantees  is  possible, 
but  is  only  allowed  to  oeeur  on  the  right  of  >.  Note  that  defoeus-guarantees  ean  never  be  eaptured 
(sueh  as  by  funetions,  see  Fig.  4  of  Seetion  3)  and,  therefore,  pending  defoeus  operations  eannot 
be  forgotten  or  ignored. 

Example  We  now  look  at  the  implementation  of  the  put  and  close  funetions  to  exemplify  the 
use  of  focus  and  defocus.  Both  functions  are  closures  that  capture  an  enclosing  F  where  t  is  a 
known  location  such  that  tail  has  type  ref  t.  T  was  defined  above  as:  Vp.(rw  p  Empty#[]  => 
rw  p  Node#R  ©  rw  p  Closed#[])  where  R  is  a  pair  of  an  integer  and  a  protocol  for  the  head,  H 
(whose  definition,  given  above,  is  not  important  here). 

9  put  =  fun(  e  :  int  : :  rw  t  exists  p.fref  p  ::  T[p])  ). 

r  =  ...,tail  :  ref  t,  t :  loc,  e  :  int  |  A  -  rw  t  3p.(ref  p  ::  T[p]) 

10  open  <l,last>  =  new  Empty#{}  in  F  =  ..., last  :  ref  /,  I :  loc  |  A  =  ...,  rw  I  Empty#[] 

11  open  <o,oldlast>  =  Itail  in 

r  =  ...,  oldlast  :  ref  o  |  A  =  rw  t  [],  rw  /  Empty#[],  T[o] 

12  focus  (rw  o  Empty#  []); 

A  =  ...,  rw  o  Empty#[],  (rw  o  Node#R)©(rw  o  Closed#)]);  none  >  • 

13  share  (rw  1  Empty#)])  as  H[l]  ||  T[l];  A  =  ...,T[Z],H[/],... 

14  oldlast  :=  Node#{  e,  <1 ,  last :  :H[1]  >  };  A  =  ...,rw  o  Node#R, ... 
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A  =  tw  t  [],T[Z],none 
A  -  rw  t  3p.(ref  p  ::  T[p]) 


defocus ; 

16  tail  :=  <1,  last::T[l] 

17  end 

18  end , 

19  close  =  fun(  _  :  []  :  :  rw  t 

20  open  <l,last>  =  !tail  in 

21  delete  tail; 

22  focus  (rw  1  Empty#  []); 

23  last  :=  Closed#!}; 

24  de  focus 

25  end , 


> 


exists  p.Cref  p  : 

r  =  tail  :  ref  t, 

r 

A  =  rw  /  Empty#[], 
A  =  rw  /  Closed#!], 


:  T[p])  ). 

t :  loc,  _ :  []  I  A  -  rw  f  3p.(ref  p  ::  T[p]) 
=  ...,last  :  ref  I,  I :  loc  |  A  =  rw  f  [],T[Z] 

A  =  T[Z] 

(rw  Z  Node#R)  ©  (rw  Z  Closed#!]);  none  >  • 
(rw  Z  Node#R)  ©  (rw  Z  Closed#!]);  none  >  • 

A  =  • 


The  put  function  takes  an  integer  stacked  with  a  capability  for  t.  The  capability  is  automatically 
unstacked  to  A.  Since  we  are  inserting  a  new  element  at  the  end  of  the  buffer,  we  create  a  new  node 
that  will  serve  as  the  new  last  node  of  that  list.  On  line  11,  the  oldlast  node  is  read  from  the 
tail  cell  by  opening  the  abstracted  location  it  contains.  Such  location  refers  a  protocol  type,  for 
which  we  must  use  focus  (line  12)  to  gain  access  to  the  state  that  it  shares.  Afterwards,  we  modify 
the  contents  of  that  cell  by  assigning  it  the  new  node.  This  node  contains  the  alias  for  the  new  tail 
as  will  be  used  by  the  head  alias.  The  T  component  of  that  split  (line  13)  is  stored  in  the  tail.  The 
defocus  of  line  15  completes  the  protocol  for  that  cell,  meaning  that  the  alias  will  no  longer  be 
usable  through  there.  Carefully  note  that  the  share  of  line  13  takes  place  after  focus.  If  this  were 
reversed,  then  the  type  system  would  conservatively  hide  the  two  newly  created  protocols  making 
it  impossible  to  use  them  until  defocus.  By  exploiting  the  fact  that  such  capability  is  not  shared, 
we  can  allow  it  to  not  be  hidden  inside  >  since  it  cannot  interfere  with  shared  state,  close  should 
be  straightforward  to  understand. 


4.4  Framing  State 

On  its  own,  (t:Focus-Rely)  is  very  restrictive  since  it  requires  a  single  rely-guarantee  protocol  to 
be  the  exclusive  member  of  the  linear  typing  environment.  This  restriction  appears  because  more 
complex  applications  focus  are  meant  to  be  combined  with  our  version  of  the  frame  rule.  Together 
they  enable  a  kind  of  mutual  exclusion  that  also  ensures  that  the  addition  of  any  potentially  inter¬ 
fering  resources  will  forcefully  be  on  the  right  of  >  (thus  making  them  inaccessible  until  defocus). 
The  typing  rule  is  as  follows: 


T  I  Aq  h  e  :  a  h  Ai 

- (tiFrame) 

F  I  Aq  ® —  A2  e  ‘  A  -\  A\  ® —  A2 

Framing  serves  the  purpose  of  hiding  (“frame  away”)  parts  of  the  footprint  (A2)  that  are  not  relevant 
to  typecheck  a  given  expression  (e),  or  can  also  be  seen  as  enabling  extensions  to  the  current 
footprint.  In  our  system,  such  operation  is  slightly  more  complex  than  traditional  framing  since  we 
must  also  ensure  that  any  such  extension  will  not  enable  destructive  interference.  Therefore,  types 
that  may  refer  (directly  or  indirectly)  values  that  access  shared  cells  that  are  currently  inconsistent 
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due  to  pending  defocus  cannot  be  accessible  and  must  be  placed  “inside”  (on  the  right  of  >)  the 
defocus-guarantee.  However,  statically,  we  can  only  make  such  distinction  conservatively  by  only 
allowing  types  that  are  non-shared  (and  therefore  that  are  known  to  never  conflict  with  other 
shared  state)  to  not  be  placed  inside  the  defocus-guarantee.  The  formal  definition  of  non-shared 
is  in  Appendix  A,  but  for  this  presentation  it  is  sufficient  to  consider  it  as  pure  types,  or  capabilities 
(rw  p  A)  that  are  not  rely-guarantee  protocols  and  that  whose  contents  are  also  non-shared.  This 
means  that  all  other  linear  types  (even  abstracted  capabilities  and  linear  functions)  must  be  assumed 
to  be  potential  sources  of  conflicting  interference.  For  instance,  these  types  could  be  abstracting  or 
capturing  a  rely-guarantee  protocol  that  could  then  result  in  a  re-entrant  inspection  of  the  shared 
state. 

To  build  the  extended  typing  environment,  we  define  an  environment  extension  (®-)  operation 
that  takes  into  account  frame  defocus-guarantees  up  to  a  certain  depth.  This  means  that  one  can 
always  consider  extensions  of  the  current  footprint  as  long  as  any  added  shared  state  is  hidden  from 
all  focused  state.  By  conservatively  hiding  it  behind  a  defocus-guarantee,  we  ensure  that  such  state 
cannot  be  touched.  This  enables  locality  on  focus:  if  a  protocol  is  available,  then  it  can  safely  be 
focused  on. 

Definition  2  (Environment  Extension).  Given  environments  A  and  A'  we  define  environment  ex¬ 
tension,  noted  A  ®-  A',  as  follows.  Eet  A  =  A„,  A^  where  n-indexed  environments  only  contains 
non-shared  elements  and  5-indexed  environments  contain  the  remaining  elements  (i.e.  all  those 
that  may,  potentially,  include  sharing).  Identically,  assume  A'  =  A(j,  A(.  Extending  A  with  A' 
corresponds  to  A  ®-  A'  =  A„,  A(j,  A"  where: 

(a)  A';  =  A,o,  A  >  (  A„  a;  )  if  A,  =  A,„,  A  >  A,, 

(b)  A"  =  A^,  A(  otherwise. 

that  either  (a)  further  nests  the  shared  part  of  A'  deeper  in  A^^ ;  or  (b)  simply  composes  A'  if  the  left 
typing  environment  (A)  does  not  carry  a  defocus-guarantee. 

Although  the  definition  appears  complex,  it  works  just  like  regular  environment  composition 
when  A'  does  not  contain  a  defocus-guarantee,  i.e.  the  (b)  case.  The  complexity  of  the  definition 
arises  from  the  need  to  nest  these  structures  when  they  do  exist,  which  results  in  the  inductive 
definition  above.  In  that  situation,  we  must  ensure  that  any  potentially  interfering  shared  state  is 
placed  deep  inside  all  previously  existing  defocus-guarantees,  so  as  to  remain  inaccessible.  This 
definition  is  compatible  with  the  basic  notion  of  disjoint  separation,  but  (from  a  framing  perspec¬ 
tive)  allows  us  to  frame-away  defocus-guarantees  beyond  a  certain  depth.  Such  state  can  be  safely 
hidden  if  the  underlying  expression  will  not  reach  it  (by  defocusing). 

The  definition  allows  a  (limited)  form  of  multi-focus.  Eor  instance,  while  a  defocus  is  pending 
we  can  create  a  new  cell  and  share  it  through  two  new  protocols.  Then,  by  framing  the  remaining 
part  of  the  typing  environment,  we  can  now  focus  on  one  of  the  new  protocols.  The  old  defocus- 
guarantee  is  then  nested  inside  the  new  defocus-guarantee  that  resulted  from  the  last  focus.  This 
produces  a  “list”  of  pending  guarantees  in  the  reverse  order  on  which  they  were  created  through 
focus.  Through  framing  we  can  hide  part  of  that  “list”  after  a  certain  depth,  while  preserving  its 
purpose. 
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Example  We  now  look  back  at  the  focus  of  line  12.  To  better  illustrate  framing,  we  consider  an 
extra  linear  type  (that  is  not  non-shared),  S ,  to  show  how  it  will  become  hidden  (on  the  right  of  >) 
after  focus.  We  also  abbreviate  the  two  non-shared  capabilities  (“rw  t  []”  and  “rw  I  Einpty#[]”)^ 
as  Ao  and  Ai,  and  abbreviate  the  protocol  so  that  it  does  not  show  the  type  application  of  location 
o.  With  this,  we  get  the  following  derivation: 


E  G  E 

- (3) 

r  I  E  =>  (N  ©  C)  h  focus  E  :  []  H  E,  (N  ©  C);  none  >  • 
- (2) 

r  I  (E  =>  (N  ©  C))  ®-  5,  Ao,  Ai  h  focus  E  :  []  H  (E,  (N  ©  C);  none  >  •)  ®-  5,  Aq,  Ai 
- (1) 

r|  E  =>  (N © C),5,Ao,Ai  h  focus  E  :  []  H  E, ((N © C); none > 5),Ao,Ai 

where  (1)  -  (Environment  Extension),  (2)  -  (t:Erame),  and  (3)  -  (t:Eocus-Rely). 

Note  that  frame  may  add  elements  to  the  typing  environment  that  cannot  be  instantiated  into 
valid  heaps.  That  is,  the  conclusion  of  the  frame  rule  states  that  an  hypothesis  with  the  extended 
environment  typechecks  the  expression  with  the  same  type  and  resulting  effects.  Not  all  such 
extensions  obey  store  typing  just  like  such  typing  rule  enables  adding  multiple  capabilities  to  one 
same  location  that  can  never  be  realized  in  an  actual,  correct,  heap.  However,  our  preservation 
theorem  ensures  that  starting  from  a  correct  (stored  typed)  heap  and  typing  environment,  we  cannot 
reach  an  incorrect  heap  state. 

4.5  Consumer  code 

We  now  show  the  last  function  of  the  pipe  example,  tryTake: 

26  tryTake  =  fun(  _  []  :  :  rw  h  exists  p.(ref  p  ::  H[p])  ).  A  =  rw  /i  3p.(ref  p\\H[p]) 

27  open  <f,first>  =  !head  in 

A  -  rw  /i  []  ,  (N[/]  ^  none)  ©  (C[/]  ^  none)  ©  (E[/]  ^  E[/]  ;  ...) 

[a]  A  =  rw  h  [],  N[/]  ^  none 

[b]  A  -  rw  h  [],  C[/]  ^  none 

[c]  A  =  rw  /i  [],  E[/]  ^  E[/]  ;  ... 

28  focus  C[f],  E[f],  N[f];  // same  abbreviations  that  were  defined  above 

[a]  A-...,  N[/],  none; none > 

[b]  A  =  ...,  C[/],  none;  none  > 

[c]  A  =  ...,  E[/],  E[/]  ;  ...>• 

29  case  !  first  of 

30  Empty#_  ^  [c]  A  =  rw  /i  []  ,  rw  /  []  ,  rw  /  Empty#)];  ...>  • 

31  first  :=  Empty#{};  // restore  linear  type 

[c]  A  =  rw  /i  []  ,  rw  /  Empty#)]  ,  rw  /  Empty#)];  ...>  • 

32  defocus;  //  the  next  assignment  must  occur  after  defocus  and  just  on  this  branch 

[c]  A  =  rw  h  )]  ,  H)/] 

33  head  :=  <f , first:  :H[f]>;  [c]  A  =  rw  /i  3p.{Tef  p  ::  H)p]) 

34  NoResult#{}  :  NoResult#()]  ::  rw  h  3p.(ref  p  ::  H)p]))  //assume  auto  stacked  [c]  A  =  • 

^Note  that  the  content  of  each  capability  can  be  made  non-shared  by  subtyping  rules. 
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37 

38 

39 


41 

42 

43 

44 

45 

46 


Closed#_  ^ 
delete  first; 
delete  head; 
defocus ; 

Depleted#{}  :  Depleted#[] 


[b] 


I  Node# [element ,n] 
[a]  A  -  rw  h  [] 
delete  first; 
head  :=  n; 
defocus ; 
Result#element 

end 

end 


//opens  pair 

rw  /  []  ,  n  :  3p.{ref  p  :: 

[a]  A  =  rw  h 
[a] 


A  =  rw  /i  []  ,  rw  /  []  ,  none;  none  > 
[b]  A-Twh  []  ,  none;  none  > 
[b]  A  -  none;  none  > 
[b]  A  = 
[b]  A  = 


H[p])  ,  none;  none  >■ 

[]  ,  n  :  Sp.iref  p  ::  H[p]) 


,  none; none  >  • 

A  =  r»  h  3p.(Tef  p\\H[pY)  ,  none;  none  >• 
[a]  A  =  rw  h  3p.{Tef  p  ::  H[/7]) 
Result#(int  ::  rw  h  3p.{T&£  p  ::  H[p]))  //  auto  stacked  [a]  A  =  • 


The  code  should  be  straightforward  up  to  the  use  of  alternative  program  states  (©).  This  im¬ 
precise  state  means  that  we  have  one  of  several  different  alternative  capabilities  and,  consequently, 
the  expression  must  consider  all  of  those  cases  separately.  On  line  28,  to  use  each  individual  alter¬ 
native  of  the  protocol,  we  check  the  expression  separately  on  each  alternative  (marked  as  [a],  [b], 
and  [c]  in  the  typing  environments),  cf.  (t:Alternative-Left)  in  Fig.  4.  Our  case  gains  precision 
by  ignoring  branches  that  are  statically  known  to  not  be  used.  On  line  29,  when  the  type  checker  is 
case  analyzing  the  contents  of  first  on  alternative  [b]  it  obtains  type  Closed#[].  Therefore,  for 
that  alternative,  type  checking  only  examines  the  Closed  tag  and  the  respective  case  branch.  This 
feature  enables  the  case  to  obey  different  alternative  program  states  simultaneously,  although  the 
effects/guarantee  that  each  branch  fulfills  are  incompatible. 


5  Technical  Results 

Our  soundness  results  (details  in  Appendix  B)  use  the  next  progress  and  preservation  theorems: 

Tbeorem  1  (Progress).  If  is  a  closed  expression  (and  where  T  and  A  are  also  closed)  such  that 
T  I  Ao  I-  eo  :  ^  d  then  either: 

•  eo  is  a  value,  or; 

•  if  exists  Ho  such  that  T  |  Aq  l-  //q  then  {  Hq\\  cq)  {  Hi  \\  ei  ). 

The  progress  statement  ensures  that  all  well-typed  expressions  are  either  values  or,  if  there  is 
a  heap  that  obeys  the  typing  assumptions,  the  expression  can  step  to  some  other  program  state  — 
i.e.  a  well-typed  program  never  gets  stuck,  although  it  may  diverge. 

Tbeorem  2  (Preservation).  Ifeo  is  a  closed  expression  such  that: 

To  I  Ao  ®-  A2  I-  //q  (  ^0  II  ^0  )  (  Hi  II  Cl  ) 

Tq.Ti  I  Ai  ®—  A2  I-  Hi 


To  I  Aq  I-  ^0  •  ^  d 

then,  for  some  Ai  and  T 1  we  have: 
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To,  Ti  I  Ai  h  :  A  H  A 


The  theorem  above  requires  the  initial  expression  eo  to  be  elosed  so  that  it  is  ready  for  evalua¬ 
tion.  The  preservation  statement  ensures  that  the  resulting  effeets  (A)  and  type  (A)  of  the  expression 
remains  the  same  throughout  the  exeeution.  Therefore,  the  initial  typing  is  preserved  by  the  dy- 
namies  of  the  language,  regardless  of  possible  environment  extensions  (®-  A2).  This  formulation 
respeets  the  intuition  that  the  heap  used  to  evaluate  an  expression  may  inelude  other  parts  (A2)  that 
are  not  relevant  to  eheek  that  expression. 

We  define  store  typing  (Appendix  B.4),  noted  T  |  A  h  //,  in  a  linear  way  so  that  eaeh  heap 
loeation  must  be  matehed  by  some  eapability  in  A  or  potentially  many  rely-guarantee  protoeols. 
Thus,  no  instrumentation  is  neeessary  to  show  these  theorems. 

Destruetive  interferenee  oeeurs  when  an  alias  assumes  a  type  that  is  ineompatible  with  the 
real  value  stored  in  the  shared  state,  potentially  eausing  the  program  to  beeome  stuek.  However, 
we  proved  that  any  well-typed  program  in  our  language  eannot  beeome  stuek.  Thus,  although  our 
protoeols  enable  a  diverse  set  of  uses  of  shared  state,  these  theorems  show  that  when  rely-guarantee 
protoeols  are  respeeted  those  usages  are  safe. 


6  Additional  Examples 

We  now  exemplify  some  sharing  idioms  eaptured  by  our  rely-guarantee  protoeols.  We  also  show 
additional  details  of  the  Pipe  example  diseussed  above.  Note  that  the  prototype  implementation, 
available  at  https://code.google.eom/p/deaf-parrot/,  contains  even  more  examples  be¬ 
yond  those  listed  here. 


6.1  Sharing  a  Linear  ADT  (Stack) 

Our  protocols  are  capable  of  modeling  monotonic  [12,23]  uses  of  shared  state.  To  illustrate  this,  we 
use  the  linear  stack  ADT  from  [21]  where  the  stack  object  has  two  possible  typestates:  Empty  and 
Non-Empty.  The  object,  with  an  initial  typestate  E(mpty),  is  accessible  through  closures  returned 
by  the  following  “constructor”  function,  newStack: 


!(  VT.  []  ^  3E.3NE.  ![  push 

pop 

isEmpty 

del 


T  ::  E©NE  ^  []  ::  NE, 

[]  ::  NE  ^  T  ::  E©NE, 

[]  ::  E  ©  NE  -o  Empty#([]  ::  E)  -l-  NonEmpty#([]  ::  NE), 
[]::£-=[]]  ::  E) 


Although  the  capability  to  that  stack  is  linear,  we  can  use  protocols  to  share  it.  This  enables 
multiple  aliases  to  that  same  object  to  coexist  and  use  it  simultaneously  from  unknown  contexts. 
The  following  protocol  converges  the  stack  to  a  non-empty  typestate,  starting  from  an  imprecise 
alternative  that  also  includes  the  empty  typestate. 


S  =  (  NE  ©  E  )  ^  NE  ;  rec  A.(  NE  ^  NE  ;  A  ) 

Monotonicity  means  that  the  type  becomes  successively  more  precise,  although  each  alias  does 
not  know  when  those  changes  occurred.  Note  that,  due  to  focus,  the  object  can  undergo  interme¬ 
diate  states  that  are  not  compatible  with  the  required  NE  guarantee.  However,  on  defocus,  clients 
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must  provide  NE  such  as  by  pushing  some  element  to  the  stack.  The  protocol  itself  can  be  re¬ 
peatedly  shared  in  equal  protocols.  Since  each  copy  will  produce  the  same  effects  as  the  original 
protocol,  their  existence  is  not  observable. 


For  convenience,  we  include  the  definition  of  newStack: 


1 

2 

3 

4 

5 

6 
7 


9 

10 

11 

12 

13 

14 

15 

16 

17 

18 

19 

20 
21 
22 

23 

24 

25 


let  newStack  =  <T>fun(  _:[]). 
open  <h,hGad>  =  new  E#{}  in  //’head’ contains  tagged  unit 
{ 

push  ^  fun(  e  :  T  ::  EMPT[h]  ©  ELEM[h]  ). 
open  <n,next>  =  new  Ihead  in 
head  :=  N#{  e  ,  <n,next>  }  //tagged  next  node 

end, 

pop  =  fun(  _  :  []  ::  ELEM[h]  ). 
case  Ihead  of 

N#[e,n]  ^  // sugared  pair  open 
open  <t,ptr>  =  n  in 
head  :=  !ptr; 
delete  ptr; 
e 

end 

end, 

isEmpty  =  funf  _  :  []  ::  EMPT[h]  ©  ELEM[h]  ). 

case  Ihead  of  // linear  content  (destructive  read)  thus 
E#v  ^  //  requires  (conservatively)  reassigning  the  cell 
head  :=  E#v; 

Empty#{} 

I  N#n  ^ 

head  :=  N#n; 

NonEmpty#{} 

end, 
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27  del  =  fun(  _  :  []  ::  EMPT[h]  ). 

28  delete  head 

29  } 

30  end 


This  stack,  although  linear,  can  be  shared  arbitrarily  by  using  the  rely-guarantee  protocol  men¬ 
tioned  above,  that  enforces  a  monotonic  use  of  the  stack’s  state.  Protocol  conformance,  instantiated 
as  follows: 

A  :  NE  ©  E 

a:  ( (  NE©E  )  ^  NE;recX.(  NE  ^  NE;X  ) ) 

( (  NE©E  )  ^  NE;recX.(  NE  ^  NE;X  ) ) 
y:  ( (  NE©E  )  ^  NE;recX.(  NE  ^  NE;X  ) ) 

is  straightforward  by  using  the  stepping  subtyping  rule. 
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Client  Code.  Example  of  possible  client  code: 

1  let  stack  =  newStack[int]  {}  in 

2  open  <E,<NE,x»  =  stack  in 

3  share  E  as  S  | |  S; 

4  //sends  an  alias  of  the  stack  to  some  unknown  context 

5  unknownC  <E,<NE,x  ::  S»  ); 

6  focus  E  (+)  NE; 

7  case  x.isEmptyC  {}  )  of 

8  Empty#_  ^ 

9  x.pushC  123  ); 

10  defocus 

11  I  NonEmpty#_  — > 

12  x.popC  {}  )  ; 

13  X.pushC  123  ); 

14  defocus 

13  end ; 

16  //  from  now  on  can  rely  on  stack  being  NonEmpty 

17  focus  NE ; 

18  // ...  use  X  in  some  way  ... 

19  defocus 

20  H  ... 

21  end 

22  end 


6.2  Capturing  Local  Knowledge  in  a  Simple  Counter 

Although  our  types  cannot  express  the  same  amount  of  detail  on  local  knowledge  as  prior  work  [4, 
18],  they  are  expressive  enough  to  capture  the  underlying  principle  that  enables  us  to  keep  increased 
precision  on  the  shared  state  between  steps  of  a  protocol. 

For  this  example,  we  use  a  simple  two-states  counter.  In  it,  N  encodes  a  number  that  may  be 
zero  and  P  some  positive  number,  with  the  following  relation  between  states: 

N  =  Z#[]  +  NZ#int  P  =  NZ#int  (note  that:  P  <:  N,  vital  to  show  conformance) 

We  now  share  this  cell  in  two  asymmetric  roles:  IncOnly,  that  limits  the  actions  of  the  alias  to  only 
increment  the  counter  (in  a  protocol  that  can  be  shared  repeatedly);  and  Any,  an  alias  that  relies  on 
the  restriction  imposed  by  the  previous  protocol  to  be  able  to  capture  a  stronger  rely  property  in  a 
step  of  its  own  protocol.  Assuming  an  initial  capability  of  rw  p  N,  this  cell  can  be  shared  using  the 
following  two  protocols: 

IncOnly  =  rec  A.(  rw  p  N  ^  rw  p  P  ;  X ) 

Any  A  rec  F.(rwpN^rwpP;  rwpP^rwpN;  Y) 
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Thus,  by  constraining  the  actions  of  IncOnly  we  can  rely  on  the  assumption  that  Any  remains 
positive  on  its  second  step,  even  when  the  state  is  manipulated  in  some  other  unknown  program 
context.  Therefore,  on  the  second  step  of  Any,  the  case  analysis  can  be  sure  that  the  value  of  the 
shared  state  must  have  remained  with  the  NZ  tag  between  focuses.  Note  that  the  actions  of  that 
alias  allow  for  it  to  change  the  state  back  to  Z. 


Client  code. 

1  open  <v,value>  =  new  Z#{}  in 

2  share  (rw  v  Z#[])  as  IncOnly [v]  | |  Any[v] ; 

3  outside  (  <v,  value  ::  IncOnly  [v]  >  );  A  =  Any[v]  ,  ... 

4  focus  N[v] ,  P[v] ;  A  -  rw  V  N  ,  (rw  V  P  ;  (rw  V  P  =>  rw  V  N  ;  F)  >  ...) 

5  case  !  value  of  //  may  or  may  not  be  ’’positive” 

6  Z#_  ^  value  :=  NZ#123 

7  I  NZ#n  ^  value  :=  NZ#456 

8  end;  A  =  rw  v  P  ,  (rw  v  P  ;  (rw  v  P  ^  rw  v  N  ;  F)>...) 


9 

defocus ; 

A  =  (rwvP^rwvN; 

F)  ,  ... 

10 

...  II  anything  else  may  be  executed  many  or  none  times 

11 

focus  N [v] ; 

A  -  rw  V  P  ,  (rw  v  N 

;  F>...) 

12 

case  lvalue  of  // protocol  enables  type  system  to  assume  state  remains  nonzero! 

13 

NZ#n  ^  value  :=  Z#{} 

14 

end; 

A  -  rw  V  N  ,  (rw  v  N 

;  F>...) 

15 

defocus 

Protocol  Conformance. 

Remember  that  P  <:  N: 

A  :  N 

7  :  rec  X.(  N  ^  P;rec  F.(  P  ^  N;X  &  N  ^  P;  F  ) ) 
a:  recX(  N  ^  P;P  ^  N;A:) 

13:  recX(N^P;A:) 


{N  ,  rec  X.{  N  P;  rec  F.(  P  ^  N;  A  &  N  ^  P;  F ) )  ^ 

rec  A.(  N  ^  P;P  =>  N;A)  ||  rec  A.(  N  ^  P;A))  (1) 

initial  configuration. 

<P,  recF.(P  =>  N;A  &  N  ^  P;F)  ^  P  =>  N;  A  ||  rec  A.(  N  =>  P;  A ))  (2) 

by  a  with  (1) 
by  yS  with  (2) 

(P,  recF.(P=>N;A  &  N=>  P;F)  ^  rec  A(  N  ^  P;  P  ^  N;  A )  ||  rec  A.(  N  ^  P;  A ))  (3) 

by  with  (1) 

(N  ,  rec  A.(  N  P;  rec  F.(  P  ^  N;  A  &  N  ^  P;  F ) )  ^  rec  A.(  N  =>  P;  P  ^  N;  A )  ||  rec  A.(  N  ^  P;  A ))  (4) 

by  a  with  (2) 


S  is  closed  (up  to  unfolding  of  recursive  types  and  subtyping). 


The  continuous  split  of  rec  X(  N  =>  P;A'  )  is  straightforward  since  all  changes  “fit”  in  the 
original  protocol. 
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6.3  Iteratively  Sharing  State  (including  Additional  Steps) 

Our  technique  is  able  to  match  an  arbitrary  number  of  aliases  by  splitting  an  existing  protocol. 
Such  split  can  also  extend  the  original  uses  of  the  shared  state  by  appending  additional  steps,  if 
those  uses  do  not  destructively  interfere  with  the  old  assumptions. 

This  example  shows  such  a  feature  by  encoding  a  form  of  delegation  through  shared  state 
that  models  a  kind  of  “server-like  process”.  Although  single-threaded,  such  a  system  could  be 
implemented  using  co-routines  or  collaborative  multi-tasking.  The  overall  computation  is  split 
between  three  individual  workers  (for  instance  by  each  using  a  private  list  containing  cells  with 
pending,  shared,  jobs)  each  with  a  specific  task.  A  Receiver  uses  a  Free  job  cell  and  stores  some 
Raw  element  in  it.  A  Compressor  processes  a  Raw  element  into  a  Done  state.  Finally,  the  Storer 
removes  the  cells  in  order  to  store  them  elsewhere.  In  real  implementations,  each  worker  would  be 
used  by  separate  handlers/threads,  triggered  in  unpredictable  orders,  to  handle  such  jobs. 

We  also  show  how  we  can  share  multiple  locations  together,  bundled  using  *,  by  each  job  being 
kept  in  a  container  cell  while  the  /lag  (used  to  communicate  the  information  on  the  kind  of  content 
stored  in  the  container)  is  in  a  separate  cell.  The  raw  value  is  typed  with  A  and  the  processed  value 
has  type  B.  The  types  and  protocols  are: 

F^rw/Free#[]  *  rw  c  []  R^rw/Raw#[]  *  rwcA  D^rw/Done#[]  *  rw  c  B 
Receiver  ^  F  ^  R 

Compressor  ^  recA.(F^F;A  ©  R^D) 

Storer  ^  recA.(F^F;A  ©  recT.(R^R;T  ©  Danone)) 

The  protocol  for  the  Receiver  is  straightforward  since  it  just  processes  a  free  cell  by  assigning 
it  a  raw  value.  Similarly,  Compressor  and  Storer  follow  analogous  ideas  by  using  a  kind  of 
“waiting”  steps  until  the  cell  is  placed  with  the  desired  type  for  the  actions  that  they  are  to  take 
(note  how  Storer  keeps  a  more  precise  context  when  the  state  is  not  F,  even  though  it  is  not 
allowed  to  publicly  modify  the  state).  To  obtain  these  protocols  through  binary  splits,  we  need  an 
intermediate  protocol  that  will  be  split  to  create  the  Compressor  and  Storer  protocols.  The  initial 
split  (of  F)  is  as  follows: 

F  ^  Receiver  ||  recA.(  F  ^  F;A  ©  R  ^  none) 

The  protocol  on  the  right  is  then  further  split,  and  its  ownership  recovery  step  further  extended 
with  additional  steps,  to  match  the  two  new  desired  protocols: 

recA.(F^F;A  ©  rec  T.(  R  ^  R;  T  &  R^D;  Danone))  ^  Compressor  ||  Storer 

The  Receiver  alias  never  needs  to  see  how  the  other  two  aliases  use  the  shared  state.  Although  the 
second  split  is  independent  from  the  initial  one,  protocol  conformance  ensures  that  it  cannot  cause 
interference  by  breaking  what  Receiver  initially  relied  on. 

Protocol  conformance. 

Assuming  abbreviations  for  the  following  states: 

F  =  rw  f  Free#[]  *  rw  c  []  R  =  rw  /  Raw#[]  *  rw  c  A  D  A  rw  /  Done#[]  *  rw  c  5 
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The  final  three  target  aliases  have  the  following  protocols: 

Receiver  =  F  =>  R 

Compressor  =  recX.(F=>F;X  ©  R  =>  D ) 

Storer  =  rec  X.(  F  =>  F;  X  ©  rec  y.(  R  =>  R;  ®  D  =>  none ) ) 

The  first  split  is  as  follows  (note  that  it  is  equivalent  of  Receiver  ||  TMP,  where  TMP  is 
recX(F=>F;X  ©  R  =>  none  )). 

A:  F 

y  :  rec  X.(  F  =>  F;  X  &  F  =>  R;  R  =>  none  ) 
a:  recX.(F=>F;X  ©  R  =>  none  ) 
yS:  F^  R 

The  conformance  is  straightforward  since  it  is  similar  to  previous  examples. 

We  now  wish  to  re-split  rec  X.(  F  =>  F;  X  ©  R  =>  none  )  and  append  a  few  additional  steps 
to  it  so  as  to  enable  a  transition  from  R  to  D: 

recX(F=>F;X  ©  R  =>  none  )  x  recT.(R=>R;T  &  R  =>  D;  D  =>  none  ) 

which  results  in  the  following  combined  protocol: 

rec  X(  F  =>  F;  X  ©  rec  T.(  R  =>  R;  T  &  R  =>  D;  D  =>  none  ) ) 

a  protocol  which  is  then  split  as  (note  that  the  initial  state  is  F  ©  R,  which  can  be  computed  with 

initial): 

A:  F©R  [  =  initial(rec  X(  F  =>  F;X  ©  rec  T.(  R  =>  R;  T  &  R  =>  D;  D  =>  none  ) ))  ] 
y  :  rec  X.(  F  =>  F;  X  ©  rec  T.(  R  =>  R;  T  &  R  =>  D;  D  =>  none  ) ) 

a  :  rec  X(  F=>F;X  ©  R=>D) 

yS  :  rec  X.(  F  =>  F;  X  ©  rec  y.(  R  =>  R;  7  ©  D  =>  none  ) ) 

Yielding  the  following  set  of  configurations: 

<F  ©  R  ,  rec  X(  F  ^  F;  Y  ©  rec  y.(  R  ^  R;  T  &  R  ^  D;  D  ^  none )  ^ 

recY.(F^F;Y  ©  R  ^  D  )  ||  rec  Y.(  F  ^  F;  Y  ©  rec  y(  R  ^  R;  T  ©  D  ^  none  )  )>  (1) 

initial  configuration, 
and  also  same  step  if  stepping  with  y  /  jS 
(note  sub  typing  to  weaken  protocol  so  that  both  resulting  protocols  match). 

<F©  D  ,  rec  Y.(  F  ^  F;  Y...  ©  Danone)  ^ 

rec  Y.(  F  ^  F;  Y...  ©  none)  ||  rec  Y.(  F  ^  F;Y  ©  recy.(R^R;y  ©  D^none))>(2) 

step  with  y  /  a  on  (1). 

<F©  none  ,  rec  Y.(  F  ^  F;Y...  ©  none)  ^ 

rec  Y.(  F  ^  F; Y...  ©  none)  ||  recY.(F^F;Y  ©  none))  (3) 

step  with  y  /  a  on  (2). 

S  is  closed  (up  to  unfolding  of  recursive  types  and  subtyping). 
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6.4  Complete  Pipe  Code  with  Client  Code 

Complete  pipe  code,  from  the  running  example: 


1  let  newPipe  =  funC  _  :  []  ) . 


2 


3 


4 


5 


6 

7 


9 


10 


11 


12 


13 


r  -  -  :  I  A  =  • 


open  <n,node>  =  new  Empty#{}  in 

r  =  _  :  []  ,  node  :  ref  n  ,  n  :  loc  |  A  =  rw  n  Empty#[] 
share  (rw  n  Empty#[])  as  H[n]  ||  T[n];  //splits  cap  of ’n’ in  two  protocols 

r  =  ...  I  A  -  J[n]  ,  H[n] 

open  <h,head>  =  new  <n,  node::H[n]>  in  //stacks ’H[n]’ on  top  of  reference ’node’ 

r  =  ...  ,  head  :  ref  h  ,  h  :  loc  |  A  =  T[n]  ,  rw  h  3p.(ref  p  ::  H[p]) 
open  <t,tail>  =  new  <n,  node::T[n]>  in  //analogous to  previous 

r  -  ...  ,  tail  :  ref  t  ,  t :  loc  |  A  -  rw  t  3p.(ref  p  ::  T[p])  ,  rw  h  3p.(ref  p  ::  H[p]) 

<  rw  t  exists  p.C  ref  p  ::  T[p]  ),  // packs  capability  as ’C’ 

<  rw  h  exists  p.C  ref  p  ::  H[p]  ),  // packs  capability  as ’P’ 

{  //  creates  labeled  record  with  ’put’,  ’close’  and  ’tryTake’  as  members 
put  =  fun(  e  :  int  : :  rw  t  exists  p.(  ref  p  ::  T[p]  )  ). 

r  =  ...,  e  :  int  I  A  -  rw  r  3;?. (ref  p  ::  T[/7]) 

open  <l,last>  =  new  Erapty#{}  in 

r  =  ...  I  A  =  rw  r  3p.(ref  p  ::  T[p])  ,  rw  I  Empty#[] 

open  <o,oldlast>  =  itail  in 

r  =  ...,  oldlast  :  ref  o  |  A  =  rw  r  []  ,  rw  /  Empty#[]  ,  T[o] 
focus  (rw  o  Empty# []); 


A  =  ...  ,  rw  o  Empty#[]  ,  (rw  o  Node#R)©(rw  o  Closed#!]);  none  >  • 
share  (rw  1  Empty#!])  as  H[l]  | |  T[l]; 


A  =  ...  ,  T[/]  ,  H[/]  , 


14  oldlast  :=  Node#{  e  ,  <l,last:  :H[1]>  }; 

15  defocus ; 


A  =  ...  ,  rw  o  Node#R  , 


16 

17 

18 

19 

20 

21 

22 

23 

24 


A  -  rw  t  []  ,  T[I]  ,  none 

tail  :=  <1,  last::T[l]> 

A  -  rw  t  3p.(ref  p  ::  T[p]) 

end 

end, 

close  =  fun(  _  :  []  : :  rw  t  exists  p.(ref  p  ::  T[p])  ). 

r  =  ...  ,  _ :  []  I  A  ^  rw  r  3p.(ref  p  ::  T[p]) 

open  <l,last>  =  itail  in 

r  =  ...  ,  last  :  ref  1,1:  loc  |  A  -  rw  t  []  ,  T[/] 

delete  tail; 

r  =  ...  I  A  =  m 

focus  (rw  1  Empty#!]); 

r  =  ...  I  A  =  rw  Z  Empty#!]  ,  (rw  Z  Node#R)©(rw  Z  Closed#!]);  none  >  • 
last  :=  Closed#!}; 

r  =  ...  I  A  =  rw  Z  Closed#!]  ,  (rw  Z  Node#R)©(rw  Z  Closed#!]);  none  >  • 

defocus 
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25 

26 

27 

28 

29 

30 

31 

32 

33 

34 

35 

36 

37 

38 

39 

40 

41 

42 

43 

44 


end, 


r  =  ...  I  A  =  ■ 

^=...  I  A=- 


tryTake  =  fun(  _  []  : :  rw  h  exists  p.(ref  p  ::  H[p])  ). 

A  =  rw  h  3p.{Tef  p  ::  H[/7]) 

open  <f,first>  =  !head  in 


A  =  rw  h  []  ,  H[/] 

A  -  rw  /i  []  ,  (N[/]  ^  none)  ©  (C[/]  ^  none)  ©  (E[/]  ^  E[/]  ;  ...) 

[a]  A  -  rw  h  [],  N[/]  ^  none 

[b]  A-rwh  [],  C[/]  ^  none 
[c]  A  =  rw  h  [],  E[/]  ^  E[/]  ;  ... 

focus  C[f] ,  E[f] ,  N[f] ;  //  these  abbreviations  are  defined  below 

[a]  A  =  ...,  N[/],  none;  none  >- 

[b]  A  =  ...,  C[/],  none;  none  > 

[c]  A  =  ...,  E[/],  E[/]  ;  ...>■ 

case  ! first  of 


Empty#_  ^ 


[c]  A  =  rw  h  []  ,  rw  /  []  ,  rw  /  Empty#[]; 
first  :=  Empty#{};  // restore  linear  type 

[c]  A  =  rw  /i  []  ,  rw  /  Empty#!]  ,  rw  /  Empty#!]; 


defocus ; 


>  • 


>  • 


head  :=  <f .first: :H[f]>; 


[c]  A  =  rw  /i  !]  ,  H!/] 


NoResult#{} 
I  Closed#_  ^ 


[c]  A  =  rw  h  3p.(ref  p  ::  H!p]) 
:  NoResult#!!]  rw  h  3p.(ref  p  ::  H!p]))  //assume  auto  stacked 

[c]  A  =  - 


delete  first; 
delete  head; 
defocus ; 


[b]  A  =  rw  h  W  ,  rw  /  !]  ,  none;  none  > 
[b]  A-rwh  !]  ,  none;  none  > 
[b]  A  -  none;  none  > 
[b]  A  = 


Depleted#{}  :  Depleted#!] 


[b]  A  = 


I  Node# [element, n]  ^ 

[a]  A  -  rw  /z  !]  ,  rw  /  !]  ,  n  :  3p.(ref  p  ::  H!p])  ,  none;  none  > 

delete  first; 

[a]  A  =  rw  /i  !]  ,  n  :  3p.(ref  p  ::  H!p])  ,  none;  none  > 

head  :=  n; 

[a]  A  -  rw  h  3p.(ref  p  ::  H!p])  ,  none;  none  > 

defocus ; 


[a]  A  =  rw  h  3p.(ref  p  ::  H!p]) 

Result#element  :  Result#(int  ::  rw  h  3p.(ref  p  ::  H!p]))  //assume  auto  stacked 
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45 


[a]  A  =  - 


end 

46  end 

47  }  :  :  (  rw  h  exists  p.(ref  p  ::  H[p])  *  rw  t  exists  p.(ref  p  ::  T[p])  )  >  > 

48  end 

49  end 

50  end 

51  in 

52  H  ... 

Using  the  abbreviations:  N  for  rw  p  Node#R,  C  for  (rw  p  Closed#[]),  and  E  for  “rw  p  Empty#[]”. 

newPipe  :  !(  []  -o  3C.3P.(  !M  ::  C  *  P  ) ) 

M  A  [  put  :  !( int ::  P  ^  []  ::  P  ), 

close  :  !([]::  P  ^  [] ), 

tryTake  :  !([]::  C  -o  NoResult#([]  ::  C)  +  Result#(int ::  C)  +  Depleted#[] )  ] 

Note  that  the  protoeol  enables  a  “late  ehoiee”  on  the  produeer,  sueh  that  they  ean  piek  Close 
or  Node  after  focus. 

R  A  [int,  3p.(refp  ::  H[p] )  ] 

T  =  Vp.(  rw  p  Einpty#[]  =>  (  rw  p  Node#R  ©  rw  p  Closed#[]  ) ) 

H  =  Vp.(  rec  X(  rw  p  Node#R  =>  none  ©  rw  p  Closed#[]  =>  none  © 

rw  p  Einpty#[]  =>  rw  p  Empty#[]  ;  X  ) ) 

Protocol  Conformance.  Note  the  “late  ehoiee”  on  making  the  node  either  N  (rw  p  Node#R)  or  C 
(rw  p  Closed#[]).  The  abbreviation  E  is  for  “rw  p  Empty#[]”.  We  instantiate  the  variables  of  the 
protoeol  eonformanee  definition  as: 

A  :  E 

y  :  rec  X(  £  =>  £;  X  &  ( £  =>  ©  C;  ( =>  none  ©  C  =>  none  ) ) ) 

a -.  £  =>  C  ©  A^;  none 

p-.  rec  X(  £’=>£’;  X  ©  A^  =>  none  ©  C  =>  none ) 

Whieh  yields  the  following  set  S'. 

(E  ,  rec  X.i  E  ^  E',  X  &  i  E  ^  N  9  C',  {  N  ^  none  ©  C  ^  none  ) ) )  ^ 

E  ^  C  ®N',  none  ||  rec  X.{E  ^  E',X®N  ^  none  ©  C  ^  none  )>  (1) 

by  initial  configuration, 
and  by  step  on  y  (subtyping  for  &)  with  E  ^  E',X, 
and  same  with  /3  (using  (step:Alternative-P)). 

(A  ©  C  ,  N  ^  none  ©  C  ^  none  ^ 

none  ||  rec  X.{  E  ^  E',X  ®  N  ^  none  ©  C  ^  none  )>  (2) 

by  step  on  (1)  with  y  (subtyping  for  &)  with  E  ^  A  ©  C; ...  and  same  with  a. 
(none ,  none  ^  none  ||  none)  (3) 

by  step  on  (2)  with  y  and  (using  both  N  and  C,  but  individually). 

S  is  closed  (up  to  unfolding  of  recursive  types  and  subtyping). 
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Client  Code.  One  possible  use  of  the  pipe  is  shown  in  the  client  code  below. 

1  let  takeAll  =  <C>fun(  reader  :  [  tryTake  :  []  ; :  C  ^  NoResult#(  []  : :  C  )  + 

Depleted#[]  +  Result#(  int  ::  C  )  ]  ::  C  ). 

2  let  res  =  reader . tryTake ()  in 

3  case  res  of 

4  Depleted#_  ^  {}  //  pipe  closed,  done 

5  I  Result#_  ^  //  ignores  result  to  continue  taking  elements  off 

6  takeAll  [C]  (  reader  )  // not  closed 

7  I  NoResult#_  ^  abortC  "invalid"  )  // throws  runtime  exception. 

8  end 

9  end 

10  in 

11 

12  open  <C,<P,pipe»  =  newPipe()  in 

13  let  writer  =  pipe  in 

14  writer,  put  (  1  ); 

15  writer. put (  2  ); 

16  writer . closeC  ); 

17  end 

18  let  reader  =  pipe  in 

19  takeAll  [C]  (  reader  )  //  all  pipe  components  exhausted 

20  end 

21  end 


Note  that  our  definition  of  takeAll  needs  to  make  an  assumption  on  a  specific  “alias  inter¬ 
leaving”  in  the  use  of  the  shared  state:  it  is  meant  to  only  be  called  after  the  pipe  is  closed.  Such 
condition  cannot  be  expressed  in  our  types  (and  is  usually  enforced  in  concurrent  systems  by  wait¬ 
ing),  and  therefore  we  use  an  abort  function  that  could,  for  instance,  throw  an  exception  or  diverge 
the  execution  if  the  shared  state  is  still  with  a  value  of  that  type. 

6.5  Last-to-use  Recovery 

The  following  code  snippet  shows  a  usage  where  the  last  alias  to  use  the  shared  state  recovers 
ownership  of  that  state.  Such  scheme  could  be  extended  to  arbitrary,  but  finite,  number  of  aliases. 
We  use  the  following  abbreviations:  H  for  “rw  t  Held#[]”,  and  F  for  “rw  t  Free#int”,  and  where 
Alias  is  the  following  protocol: 

( rw  t  Held#[]  =>  rw  t  Free#int ;  none  )  ©  ( rw  t  Free#int  =>  none  ;  none  ) 

4  open  <t,x>  =  new  Held#!}  in  T  -  t :  loc  ,  x  :  ref  t  \  A  =  rw  t  Held#[] 

5  share  (rw  t  Held#[])  as  Alias [t]  ||  Alias [t];  A  =  Aliasfi]  ,  Aliasfi] 

6  outside (  <t,x  ::  Alias [t]>  );  // stores  alias  on  some  nonlocal  context  A  =  Aliasfi] 

A  -  (  rw  t  Held#[]  ^  rw  t  Free#int  )  ©  (  rw  t  Free#int  ^  none  ) 

[a]  A  =  (  rw  t  Held#[]  ^  rw  t  Free#int  ) 
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[b]  A  -  (  rw  t  Free#int  ^  none  ) 

7  focus  H[t] ,  F[t] ; 

[a]  A  -  rw  1  Held#[]  ,  {  rw  t  Free#int  ;  none  >  •  ) 

[b]  A-rwt  Free#int  ,  (  none  ;  none  >  •  ) 

8  case  !x  of 

9  Held#n  — > 

10  X  :=  Free#42  ; 

11  defocus 

12  I  Free#n  ^ 

13  defocus ; 

14  X  :  =  n  +  1 ; 

15  //... 

16  delete  x 

17  end 

18  end 


[a]  A  -  rw  f  []  ,  ■■■ 
[a]  A  =  rw  t  Free#int  ,  ... 

[a]  A  =  - 

[b]  A  -  rw  f  []  ,  ... 

[b]  A  -  rw  f  [] 

[b]  A  =  rw  t  int 

[b]  A  =  - 


Protocol  Conformance. 

A:  H 

y:  H  =>  F;  F  =>  none;  none 
a:  FI=>F;none  ©  F=>  none; none 
FI=>F;none  ©  F=>  none;  none 


<H  ,  H  ^  F;  F  ^  none;  none  ^ 

H^F;none  ©  F  ^  none;  none  ||  H^F;none  ©  F^  none;  none)  (1) 

initial  configuration. 

(F  ,  F  ^  none;  none  ^  none  ||  H  ^  F;none  ©  F  ^  none;  none)  (2) 

by  step  on  (1)  with  y  and  a. 

(F  ,  F  ^  none;  none  ^  H  ^  F;none  ©  F  ^  none;  none  ||  none)  (3) 

by  step  on  (1)  with  y  and  or. 

(none ,  none  ^  none  ||  none)  (4) 

by  step  on  (2)  or  (3)  with  y  and  a  j p,  respectively. 
S  is  closed  (up  to  unfolding  of  recursive  types  and  subtyping). 

6.6  Wait-until-used  Recovery 

The  following  protocols  model  a  usage  equivalent  of  “busy-waiting”.  Upon  splitting,  one  protocol 
(Onellse)  uses  the  shared  state  once  and  discards  ownership  of  that  state,  and  the  other  (Retry) 
retries  an  arbitrary  number  of  times  “waiting”  for  the  first  alias/protocol  to  finish  its  use. 


Onellse  A  'ip.{  rw  p  Held#[]  =>  rw  p  Free#int ) 

Retry  A  s/p,  rec  X(  (rw  p  Held#[]  =>  rw  p  Held#[];  X  )  ©  (  rw  p  Free#int  =>  none  ) ) 
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1  open  <t,x>  =  new  HGld#{}  in 

2  share  (  rw  t  Held#[]  )  as  Retry [t]  | |  OneUse[t]; 

3  outside (  <  t,  X  ::  OneUse[t]  >  );  // captures  OneUse  in  some  other  nonlocal  context 

4  rec  Y.  //  recursion  is  encoded  as  an  idiom 

5  focus  (  rw  t  Held#[]  ),  (  rw  t  Free#int  ); 

6  case  !x  of 

7  Held#n  ^ 

8  X  :=  Free#123; 

9  defocus;  // retry,  did  not  consume  shared  type! 

10  Y  //  recursion  point 

11  I  Free#n  ^  //  recovers 

12  defocus ; 

13  X  :  =  n  +  1 ; 

14  H ... 

15  X  :  =  !  X  +  1 ; 

16  //... 

17  delete  x 

18  end 

19  end 

Protocol  Conformance. 

We  use  the  following  abbreviations:  H  for  “rw  p  Held#[]”,  and  F  for  “rw  p  Free#int”. 

A  :  H 

7:  recX.(H=>H;X  &  H  =>  F;  F  =>  none;  none ) 

OneUse  =  a  :  FI  =>  F;  none 
Retry  =  /? :  rec  X.(  FI  =>  FI;X  ©  F  =>  none;  none  ) 


<H  ,  rec  X.(  H  ^  H;X  &  H  ^  F;  F  ^  none;  none  )  ^ 

H  ^  F;  none  ||  rec  X(  H  ^  H;  X  ©  F  ^  none;  none  )>  (1) 

initial  configuration,  and  step  with  H  ^  H;  X  with  7  and y6  (subtyping  for  &). 

<F  ,  F  ^  none;  none  ^  none  ||  rec  X(  H  ^  H;X  ©  F  ^  none;  none  )>  (2) 

on(l). 

(none ,  none  ^  none  ||  none)  (3) 

on  (2). 


S  is  closed  (up  to  unfolding  of  recursive  types  and  subtyping). 


Alternative  Protocols. 

The  protocol  above  only  allows  OneUse  to  use  the  state  once.  Alternatively,  we  could  have  the 
shared  state  contain  a  state  S  that  is  used  for  a  wait  phase,  and  then  N  for  the  recovery  step,  as 
follows: 

RetryRecovery  =  rec  X(  (5  =>5;A)©(A=>  none  ) ) 
UseUntilDiscard  =  rec  X(  (  5  =>5;A)&(5  =>A;none)) 
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7  Related  Work 


We  now  discuss  other  works  that  offer  flexible  sharing  mechanisms.  Although  there  are  other 
interesting  works  [1,2,4,5,7,30]  in  the  area,  they  limit  sharing  to  an  invariant. 

In  Chalice  [19],  programmer-supplied  permissions  and  predicates  are  used  to  show  that  a  pro¬ 
gram  is  free  of  data  races  and  deadlocks.  A  limited  form  of  rely-guarantee  is  used  to  reason  about 
changes  to  the  shared  state  that  may  occur  between  atomic  sections.  All  changes  from  other  threads 
must  be  expressed  in  auxiliary  variables  and  be  constrained  to  a  two-state  invariant  that  relates  the 
current  with  the  previous  state,  and  where  all  rely  and  guarantee  conditions  are  the  same  for  all 
threads. 

Several  recent  approaches  that  use  advanced  program  logics  [9,  10,  22,  29,  31]  employ  rely- 
guarantee  reasoning  to  verify  inter-thread  interference.  Although  our  approach  is  type-based  rather 
than  logic -based,  there  are  several  underlying  similarities.  Concurrent  abstract  predicates  [9] 
extend  the  concept  of  abstract  predicates  [22]  to  express  how  state  is  manipulated,  supporting 
internally  aliased  state  through  a.  fiction  of  disjointness  (also  present  in  [16, 18])  that  is  based  on 
rely-guarantee  principles  and  has  similarities  to  our  own  abstractions.  Their  use  of  rely-guarantee 
also  allows  intermediate  states  within  a  critical  section,  which  are  immediately  weakened  (made 
stable)  to  account  for  possible  interference  when  that  critical  section  is  left.  Although  our  use 
of  rely-guarantee  is  tied  to  state  (be  it  references  or  abstracted  state),  not  threads,  our  protocols 
capture  an  identical  notion  of  stability  through  a  simpler  constraint  that  ensures  all  visible  states 
are  considered  during  protocol  conformance.  Another  modeling  distinction  is  that  our  interference 
specification  lists  the  resulting  states  (from  interference),  not  the  actions  that  can  (or  cannot  [10]) 
occur  from  external/unknown  sources. 

Monotonic  [12,23]  based  sharing  enables  unrestricted  aliasing  that  cannot  interfere  since  the 
changes  converge  to  narrower,  more  precise,  states.  Our  protocols  are  able  to  express  monotonicity. 
However,  since  the  rely  and  guarantee  types  of  a  step  in  the  protocol  must  describe  a  finite  number 
of  states,  we  lack  the  type  expressiveness  of  [23].  We  believe  this  concern  is  orthogonal  to  our 
core  sharing  concepts,  and  is  left  as  future  work.  We  are  also  capable  of  expressing  more  than  just 
monotonicity.  For  instance,  due  to  ownership  recovery,  a  cell  can  oscillate  between  shared  and 
non-shared  states  during  its  lifetime,  and  with  each  sharing  phase  completely  unrelated  to  previous 
uses. 

Gordon  et  al.  [15]  propose  a  type  system  where  references  carry  three  additional  type  com¬ 
ponents:  a  predicate  (for  local  knowledge),  a  guarantee  relation,  and  a  rely  relation.  They  handle 
an  unknown  number  of  aliases  by  constraining  the  writes  to  a  cell  to  fit  within  the  alias’  declared 
guarantee,  similarly  to  how  rely-guarantee  is  used  in  program  logics  to  handle  thread-based  inter¬ 
ference.  Although  they  support  a  limited  form  of  protocol  (and  their  technique  can  generally  be 
considered  as  a  two-state  protocol),  their  system  effectively  limits  the  actions  allowed  by  each  new 
alias  to  be  strictly  decreasing  since  their  guarantee  must  fit  within  the  original  alias’  guarantee. 
Since  we  support  ownership  recovery  of  shared  state,  a  cell  can  be  shared  and  return  to  non-shared 
without  such  restriction.  Unlike  ours,  their  work  does  not  allow  intermediate  inconsistent  states 
since  all  updates  are  publicly  visible.  In  addition,  their  work  requires  proof  obligations  for,  among 
other  things,  guarantee  satisfaction  while  we  use  a  more  straightforward  definition  of  protocol  con¬ 
formance  that  is  not  dependent  on  theorem-proving.  However,  their  use  of  dependent  refinement 
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types  adds  expressiveness  (e.g.  their  predicates  capture  an  infinite  state  space,  while  our  state  space 
is  finite)  but  increases  the  challenges  in  automation,  as  typechecking  requires  manual  assistance  in 
Coq. 

Krishnaswami  et  al.  [18]  define  a  generic  sharing  rule  based  on  the  use  of  frame-preserving 
operations  over  a  commutative  monoid  (later  shown  to  be  able  to  encode  rely-guarantee  [8]).  The 
core  principle  is  centered  on  splitting  the  internal  resources  of  an  ADT  such  that  all  aliases  obey 
an  invariant  that  is  shared,  while  also  keeping  some  knowledge  about  the  locally-owned  shared 
state.  By  applying  a  frame  condition  over  its  specification,  their  shared  resources  ensure  that  any 
interference  between  clients  is  benign  since  it  preserves  the  fiction  of  disjointness.  Thus,  local 
assumptions  can  interact  with  the  shared  state  without  being  affected  by  the  actions  done  through 
other  aliases  of  that  shared  state.  The  richness  of  their  specification  language  means  that  although  it 
might  not  always  be  an  obvious,  simple  or  direct  encoding,  protocols  are  likely  encodable  through 
the  use  of  auxiliary  variables.  However,  our  use  of  a  protocol  paradigm  presents  a  significant 
conceptual  distinction  since  we  do  not  need  sharing  to  be  anchored  to  an  ADT.  Therefore,  we  can 
share  individual  references  directly  without  requiring  an  intermediary  module  to  indirectly  offer 
access  to  the  shared  state,  but  we  also  allow  such  uses  to  exist.  Similarly,  although  both  models 
allow  ownership  recovery,  our  protocols  are  typing  artifacts  which  means  that  we  do  not  need  an 
ADT  layer  to  enable  this  recovery  and  the  state  of  that  protocol  can  be  switched  to  participate  in 
completely  unrelated  protocols,  later  on.  Their  abstractions  are  also  shared  symmetrically,  while 
our  protocols  can  restrict  the  available  operations  of  each  alias  asymmetrically.  Additionally,  after 
the  initial  split,  our  shared  state  may  continue  to  be  split  in  new  ways.  Finally,  we  use  focus  to 
statically  forbids  re-entrant  uses  of  shared  state,  while  they  use  dynamic  checks  that  diverge  the 
execution  when  such  operation  is  wrongly  attempted. 


8  Conclusions 

We  introduced  a  new  flexible  and  lightweight  interference  control  mechanism,  rely-guarantee  pro¬ 
tocols.  By  constraining  the  actions  of  an  alias  and  expressing  the  effects  of  the  remaining  aliases, 
our  protocols  ensure  that  only  benign  interference  can  occur  when  using  shared  state.  We  showed 
how  these  protocols  capture  many  challenging  and  complex  aliasing  idioms,  while  still  fitting 
within  a  relatively  simple  protocol  abstraction.  Our  model  departs  from  prior  work  by,  instead 
of  splitting  shared  resources  encoded  as  monoids,  offering  an  alternative  paradigm  of  “temporal” 
splits  that  model  the  coordinated  interactions  between  aliases.  A  prototype  implementation,  which 
uses  a  few  additional  annotations  to  ensure  typechecking  is  decidable,  is  currently  underway"*. 
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A  Auxiliary  Definitions 

Fetching  the  initial  state  of  a  rely-guarantee  protocol: 

initial(A  =>  5;  C)  =  A 

initial(A©5)  =  initial(A)  ©  initial(5) 

initial(A&5)  =  initial(A)&initial(5) 

initial(rec  XA)  =  initial(A{rec  XA/X}) 

initial(none)  =  none 

Extending  a  rely-guarantee  protocol,  with  protocol  Z,  on  a  step  where  it  would  otherwise  just 
recover  ownership  of  the  state  and  terminate: 

(A  =>  none;  none)  x  Z  =  A  =>  initial(Z);Z 
(A^  B;C)xZ  =  A^  B-,(CxZ) 

(A®  B)  X  Z  =  Ax  Z  ©  B  xZ 
(A&B)  X  Z  =  A  X  Z  &  B  X  Z 
(recXA)xZ  =  A{recXA/X}xZ 

Additionally,  if  initial(Z)  =  A  then: 

( A  =>  none;  none  )  X  z  =  Z 

so  that  the  extension  fully  replaces  the  old  step,  without  leaving  a  redundant  step. 


Our  sharing  rule  is: 

Ao  ^  Ai  II  A2 
share  Ao  asAi  ||  A2 

That  uses  protocol  conformance  through  the  following  idiom,  using  the  syntax  Aq  ^  Ai  ||  A2, 
such  that: 

•  if  Ao  is  not  a  rely-guarantee  protocol: 

(Ao  ,  A'  ^  Ai  II  A2) 

where  A'  is  a  rely-guarantee  protocol  where  initial(Ao)  =  A'. 

•  if  Ao  is  a  rely-guarantee  protocol  (i.e.  we  wish  to  re-split  that  protocol  in  Ai  and  A2): 

(initial(Ao) ,  Ao  xAq  ^  Ai  ||  A2> 

where  Aq  is  a  valid  extension  for  the  protocol  Ao  such  that  Ai  and  A2  conform  with  what  Ao 
initial  does,  with  the  addition  of  some  extra  steps  (Aq).  Such  extension  is  optional. 
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We  use  the  following  possible  definition  of  non-shared  types  of  A.  Therefore,  the  following 
elements  are  sure  to  not  include  access  to  shared  parts  of  the  heap: 


A  non-shared 

A  non-shared 

none  non-shared 

!A  non-shared 

rw  p  A  non-shared 

3t.A  non-shared 

Ao  non-shared 

Ai  non-shared 

Aq  ::  a  I  non-shared 
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B  Proofs 


B.l  Well-Formed  Types  and  Environments 

Our  well-formed  definition  ensures  that  types  are  properly  formed  (i.e.  type  formation).  Therefore, 
each  type  must  have  all  the  location  variables  it  depends  on  declared  in  the  corresponding  enclosing 
r  environment  so  that  all  location  variables  must  be  known  in  the  same  scope  as  the  capability  that 
refers  a  certain  location  variable.  An  analogous  condition  must  hold  for  type  variables. 

Definition  3  (Well-Formed).  We  have  the  following  cases  (defined  by  induction  on  the  structure 
of  the  type/environment): 

•  r  wf  (Gamma) 

r  wf  r  wf  r  wf  r  i-  a  type 

wf  T,p  :  loc  wf  r,  A  :  type  wf  F,  v: :  A  wf 

•  F  h  A  wf  (Delta) 

F  h  A  wf  F  h  A  type 
F  h  •  wf  F  h  A,  v: :  A  wf 

F  h  A  type 

F  h  A  wf  F  h  A  type  F  h  A  wf  F  h  A'  wf 
Fh  A,A  wf  Fh  A,  A>A  wf 

•  I F  h  A  type  (Type) 

F  h  A  type  F  h  A,  type  F  h  Aq  type  F  h  Ai  type 

F  h  none  type  F  h  !A  type  F  h  [f  :  A]  type  F  h  (Aq  ^  AO  type 

j!?  :  loc  6  F  F  h  A  type 

F  h  (rw  p  A)  type  F, :  loc  h  (ref  p)  type  F,  X  type  h  X  type 

F  h  Ao  type  F  h  Ai  type  F  h  Aq  type  F  h  Ai  type 

F  h  (Ao  ::  Ai)  type  F  h  (Aq  *  Ai)  type 

F,  ? :  loc  h  A  type  F,  ? :  loc  h  A  type  F,  X  type  h  A  type  F,  X  type  h  A  type 
F  h  'it.A  type  F  h  3t.A  type  F  h  VXA  type  F  h  3X.A  type 
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r  h  Ao  type  r  h  Ai  type 
r  h  Ao  ©  Ai  type 


r  h  Aq  type  r  h  Ai  type 
r  h  Aq&Ai  type 


r,  X  type  h  A  type 
r  h  rec  X.A  type 


r  h  A;  type  r  h  Ao  type  T  h  Ai  type 

r  h  2,'  IMi  type  r  h  Ao;Ai  type 


r  h  Aq  type  r  h  Ai  type 
r  h  Ao  ^  Ai  type 


Note  that  well-formed  conditions  are  not  explicitly  mentioned  and  are  assumed  to  be  present 
whenever  they  are  relevant. 

We  define  locs(A),  where  F  h  A  type,  to  be  the  set  of  all  location  variables/constants  present  in 
A  (thus,  declared  in  the  smallest  F  that  F  h  A  type). 
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B.2  Subtyping  Inversion  Lemma 

Lemma  1  (Subtyping  Inversion  Lemma).  We  have  the  following  cases  for  types  (A)  and  for  the 
linear  typing  environment  (A): 

•  (Type)  If  A  <:  A'  then  one  of  the  following  holds: 

1.  A'  =  A. 

2.  if  A  =  !Ao  then  either: 

(a)  A'  =  Ao,  or; 

(b)  A'  =  !Ai  and  Ao  <:  Aj,  or; 

(c)  A'  =  ![]. 

3.  if  A  =  Ao  -o  A[  then  A'  =  A2  -o  A3  and  Ai  <:  A3  and  A2  <:  Ao. 

4.  if  A  =  Ao  ::  A2  then  A'  =  Ai  ::  A3  and  Ao  <:  Ai  and  A2  <:  A3. 

5.  if  A  =  [£  :  A]  then  either: 

(a)  A  =  [f  :  A,  £,  :  A,]  and  A'  =  [£  :  A]  and  i  >  0. 

(b)  A  =  [£7a,  £,•  :  Ao]  and  A'  =  [£  :  A,  £,•  :  AJ  and  Aq  <:  Ai. 

(c)  A  =  [£  :  !A]  and  A'  =![£:  !A]. 

6.  if  A  =  rw  p  Ao  then  A'  =  rw  p  Ai  and  Ao  <:  Ai . 

7.  if  A  =  3tAo  then  A'  =  3tAi  and  Aq  <:  Ai. 

8.  if  A  =  Vt.Ao  then  A'  =  Vt.Ai  and  Aq  <:  Ai. 

9.  if  A  =  3X.Ao  then  A'  =  3XAi  andAo  <:  Aj. 

10.  if  A  =  VXAo  then  A'  =  VXAi  andAo  <:  Aj. 

11.  if  A  =  ref  p  then  A'  =  !(ref  p). 

12.  if  A  =  Ao  *  Ai  then  either: 

(a)  A'  =  Ai  *  Ao,  or; 

(b)  A'  =  Ao  *  A2  and  Ai  <:  A2. 

(c)  if  Ao  =  (A;  *  A")  then  A'  =  A^  *  (A"  *  Ai). 

13.  if  A  =  2,-  h#Ai  then  A'  =  l'#A'  +  2,-  h#Ai. 

14.  if  A  =  Ao{X/rec  XAo)  then  A'  =  rec  XAq. 

15.  if  A  =  rec  XAo  the  either: 

(a)  A'  =  rec  XAi  and  Ao  <:  Ai,  or; 

(b)  A'  =  Ai{X/recXAi}. 

16.  if  A  =  Ao&Ai  then  A'  =  Aq. 

17.  A'  =  A©A" 

•  (Delta)  If  A  <:  A'  then  one  of  the  following  holds: 
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1.  A  =  A'. 

2.  if  A  =  Ao,  X  :  Aq  then  A'  =  Ai,  ;c :  Aj  and 
A()  <:  Ai  and  Aq  <:  Ai. 

3.  if  A  =  Ao,Ao  then  A'  =  Ai,Ai  and  Aq  <:  Ai  and  Aq  <:  Ai. 

4.  if  A  =  Ao,Ao,Ai  then  either: 

(a)  A'  =  Ao,Ao  *  Ai,  or; 

(b)  case  (3)  with  Aq,  or; 

(c)  case  (3)  with  Ai. 

5.  if  A  =  Aq,  Aq  *  Ai  then  A'  =  Aq,  Ao,Ai. 

6.  if  A  =  Ao,  none  then  A'  =  Aq. 

7.  A'  =  A,  none. 

8.  if  A  =  Ao,Ao  ©  Ai  then  Ao,Aq  <:  A'  and  Ao,Ai  <:  A'. 

9.  if  A'  =  Ai,Ao&Ai  then  A  <:  Ai,Ao  and  A  <:  Ai,Ai. 

Proof.  We  only  very  informally  sketch  the  proof,  without  going  into  detail  on  each  case  since  they 
are  straightforward  to  show. 

1.  (Type)  By  induction  on  the  derivation  of  A  <:  A'. 

Case  (st: Symmetry)  Case  1  of  the  definition. 

Case  (st:ToLinear)  Case  2  (a)  of  the  definition. 

Case  (st:Pure)  Case  2  (b)  of  the  definition. 

Case  (st:Top)  Case  2  (c)  of  the  definition. 

Case  (st:Ref)  Case  1 1  of  the  definition. 

Case  (st:Function)  Case  3  of  the  definition. 

Case  (st:Loc-Exists)  Case  7  of  the  definition. 

Case  (st:Loc-Forall)  Case  8  of  the  definition. 

Case  (st:Type-Exists)  Case  9  of  the  definition. 

Case  (st:Type-Forall)  Case  10  of  the  definition. 

Case  (st:Record)  Case  5  (b)  of  the  definition. 

Case  (st:Discard)  Case  5  (a)  of  the  definition. 

Case  (st:PurifyRec)  Case  5  (c)  of  the  definition. 

Case  (st:Stack)  Case  4  of  the  definition. 

Case  (st:Cap)  Case  6  of  the  definition. 

Case  (st:Com)  Case  12  (a)  of  the  definition. 
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Case  (st:Cong)  Case  12  (b)  of  the  definition. 

Case  (st: Assoc)  Case  12  (c)  of  the  definition. 

Case  (st:Sum)  Case  13  of  the  definition. 

Case  (st:Fold)  Case  14  of  the  definition. 

Case  (st:Unfold)  Case  15  (a)  of  the  definition. 

Case  (st:Rec)  Case  15  (b)  of  the  definition. 

Case  (st:Alternative)  Case  17  of  the  definition. 

Case  (st:Intersection)  Case  16  of  the  definition. 

2.  (Delta)  By  induction  on  the  derivation  of  A  <:  A'. 

Case  (sd: Symmetry)  -  Case  1  of  the  definition. 

Case  (sd:Var)  -  Case  2  of  the  definition. 

Case  (sd:Type)  -  Case  3,  4  (b)  and  4  (c)  of  the  definition. 

Case  (sd:Star),  right  -  Case  4  of  the  definition. 

Case  (sd:Star),  left  -  Case  5  of  the  definition. 

Case  (sd:None)  -  Cases  7  (for  <:,  right)  and  6  (for  :>,  left)  of  the  definition. 
Case  (sd:Alternative-L)  -  Case  8  of  the  definition. 

Case  (sd:Intersection-R)  -  Case  9  of  the  definition. 


□ 
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B.3  Protocol  Conformance  Preservation 

Lemma  2  (Protocol  Conformance  Preservation).  If  P  \\  Q  then: 

•  if  A  is  not  a  rely-guarantee  protoeol,  then  (A,  P)  (A',  P') 

•  if  A  is  a  rely-guarantee  protoeol,  then  {As,  A)  <A(,  A') 

and  A'  ^  P'  ||  Q.  Similarly  for  Q. 

Proof.  Immediate  sinee  the  definition  of  protoeol  eonformanee  requires  all  following  eonfigura- 
tions  to  be  in  S,  ineluding  one  that  just  uses  P  or  Q.  Therefore,  all  subsequent  eonfigurations  must 
also  eonform  regardless  of  whieh  partieular  step  is  taken.  □ 

This  lemma  ensures  that  a  protoeol  will  never  get  stuek  in  an  unexpeeted  state.  Therefore,  by 
definition,  eaeh  protoeol  works  on  its  own  sinee  it  must  eonsider  the  ease  of  Q  never  being  used. 
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B.4  Store  Typing 


We  use  the  notation  F  to  mean  that  F  is  elosed  in  the  sense  of  only  eontaining  {p  :  loc)  elements 
and  nothing  else.  Therefore,  it  only  lists  the  known  loeation  constants.  Similarly,  we  use  A  to 
mean  that  A  is  elosed,  so  that  it  only  ineludes  eapabilities  (of  the  form:  rw  p  A  —  note  the  loeation 
eonstant  p)  or  rely-guarantee  protocols.  There  is  no  ineonsisteney  with  the  notation  of  A  sinee  if 
sueh  type  ean  only  depend  on  elosed  environments  (in  order  to  be  well-formed),  then  it  too  must 
be  elosed  or  it  would  not  be  well-formed. 

Definition  4  (Store  Typing). 

(str:Loc)  (str:Star)  (str:None) 

(str:Empty)  f|Ah//  f|A,Ao,Aih//  F  |  A  h // 

•l-^-  r,p:loc|Ah//  f|A,Ao*Aih//  f|A,noneh// 

(str:Intersection) 

(str: Alternative)  F  |  A,Ao  I-  //  (str:Binding) 

F  I  A,  Ao  h  //  f  I  A,  Ai  h  //  f\A,Av^  H  r|A,hv:AH- 

F  I  A,Ao  ©  Ai  h //  F  I  A,Ao&Ai  h //  F  |  A,rwp  A  h //,p  v 
(str:Share)  (^r:D^ocus) 

^o^Ai||A2  A'^=^\A2  ^^Ai||A2 

r|  A,Aoh//  Y\A''^H  Y\A'^H' 

r|A,Ai,A2h//  FI  A',(Ao;Ai)>Ah//',// 

Note  that,  sinee  the  added  eapability  on  (str:Binding)  must  still  be  well-formed,  sueh  implies 
that  F  must  eontain  p.  For  the  same  reason,  p  must  also  not  appear  in  A  or  H. 

On  (str:Alternative),  we  only  need  one  rule  beeause  sueh  type  is  assumed  to  be  eommutative. 

(str:Defocus)  ensures  that  the  remaining  protoeol  eontained  in  the  typing  environment  eon- 
forms  after  the  Aq  state  is  reaehed  (whieh  may  not  yet  be  the  ease).  Similarly,  due  to  the  support  of 
H,  it  ensures  that  A2  is  either  none  or  a  type  that  is  a  protoeol  for  the  state  of  Aq.  All  other  parts  of 
the  heap  must  be  supported  by  A'.  The  use  of  \  is  to  highlight  that  A2  (a  protoeol  that  is  the  result 
of  merging  all  other  protoeols  to  that  state  that  may  be  in  A)  may  be  at  any  defoeus  depth,  however 
it  must  be  hidden  behind  that  >. 

The  A  \  A  enables  to  extraet  A  from  A  sueh  that  A  is  the  result  of  merging  all  of  possible 
protoeols  that  are  eompatible  in  A,  up  until  there  are  no  more. 

Aq  ^  Ai  II  A2  Ao  ^  Ai  II  A2 

^0  =  -^1  \  Ai  Aq  =  Ai  \  Ai 

A]  =  A2  \  A2  A3  =  A2  \  A2  not  A  \  A 

A()  =  A2\Ao  Ao,A' >  A3  =  (Ai,  a' >  A2)  \  Aq  A  =  A,A\A 

It  is  erueial  to  note  that  the  definition  above  enable  parts  of  these  protoeols  to  not  be  present, 
and  still  eonform.  Therefore,  even  if  part  of  the  environment  is  (temporarily)  framed,  the  remaining 
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visible  protocol  still  conform  although  with  potential  steps  that  appear  “unreachable”.  Similarly, 
none,  always  conforms  and  can  be  used  when  necessary. 

Lemma  3  (Store  Typing  Inversion  Lemma).  If 

f  I  Ah  // 

then  one  of  the  following  holds: 

1.  r  =  •  and  A  =  •  and  H  =  -. 

2.  if  r  =  P,p  :  loc  then  P  |  A  h  //. 

3.  if  A  =  A',  Aq  *  Ai  then  T  |  A',Aq,Ai  h  H. 

4.  if  A^  A',  rw  p  A  and  H  =  H',p  ^  v  then 
f  I  A',  A,  h  H'  andf  |  A,  h  v  :  A  H  •. 

5.  if  A  =  A',  none  then  T  |  A'  h  //. 

6.  if  A  =  A',Ao  ©  Ai  then  either: 

•  r  I  A',Ao  h  H,  or; 

•  r|  A',Ai  hH. 

(remember  that  ©  is  commutative) 

7.  if  A  =  A',Ai,A2  and  Aq  ^  Ai  ||  A2  then  T  |  A',  Aq  h  H. 

8.  if_A  =  A",  (Aq;  Ai)  >  A' then  ^  ^ ^  ^ _ 

=  A'  \  A2  and  Aq  ^  Ai  ||  A2  and  F  |  A"'  h  H"  and  F  |  A"  h  //'  and  H  =  H' ,  H" . 

9.  if  A  =  A',Ao&Ai  then: 

•  r  I  A',Ao  h  H,  and; 

•  F|  A',Ai  h//. 

Proof.  Straightforward  induction  on  the  derivation  of  T  |  A  h  //.  □ 

Lemma  4  (Subtyping  Store  Typing).  If  T  |  A  h  //  and  A  <:  A'  then  T  |  A'  h  //. 

Proof.  By  induction  on  the  derivation  of  T  |  A  h  //. 

Case  (str:Empty)  We  have: 
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•  <:  A' 


(1) 

(2) 

by  hypothesis 


By  (Subtyping  Inversion  Lemma)  on  (2),  we  have  that  either: 

.[1]A'  =  -  (1.1) 

We  eonelude  by  (1). 

•  [7]  A'  =  •,  none  (2.1) 

•  I  •,  none  h  •  (2.2) 

by  (str:None)  on  (1). 

Thus,  we  eonelude. 

Case  (str:Loc)  We  have: 


r,p:loc|Ah//  (1) 

A  <:  A'  (2) 

by  hypothesis. 

f\A\-H  (3) 

by  inversion  on  (str:Loc)  with  (1). 

r  I  A'  h  //  (4) 

by  induetion  hypothesis  with  (3)  and  (2). 
f,p  :  loc  I  A'  h  //  (5) 

by  (str:Loc)  with  p  and  (4). 


Thus,  we  eonelude. 
Case  (str:Binding)  We  have: 


T  I  A,  rwp  A  h //,p  V  (1) 

A,rwp  A  <:  A'  (2) 

by  hypothesis. 

T  I  ^  A,  h  //  (3) 

T  I  A,  h  V  :  A  H  •  (4) 

by  inversion  on  (str:Binding)  with  (1). 
By  (Subtyping  Inversion  Lemma)  on  (2),  we  have  that  either: 

•  [1]  A'  =  A,rwpA  (1.1) 

by  sub-ease  hypothesis. 

Thus,  we  eonelude  by  (1). 

•  [3]  A'^  Ao,Ao  (2.1) 

A  <:  Ao  (2.2) 

rwpAcAo  (2.3) 

by  sub-ease  hypothesis. 

Ao  =  rwpAi  (2.4) 
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A  <:  Ai  (2.5) 

by  (Subtyping  Inversion  Lemma)  using  case  [6]  with  (2.3). 
(Note:  we  are  omitting  cases  [1],  [14]  and  [17]  since  those  are  similar  to  [6]). 
r  I  A,  h  V  :  Ai  H  •  (2.6) 

by  (t:  Sub  sumption)  on  (4)  with  (2.5). 
f|Ao,A,h//  (2.7) 

by  induction  hypothesis  on  (3)  and  (2.2)  noting  that  A^  is  unchanged, 
r  I  Ao,rwp  Ai  h V  (2.8) 

by  (str:Binding)  with  (2.6)  and  (2.7)  with  p. 
f\'K'  h  H,p^v  (2.9) 

by  rewriting  (2.8)  with  (2.1)  and  (2.4). 

Thus,  we  conclude. 

•  [7]  A' =  A,rwp  A,  none  (4.1) 

by  sub-case  hypothesis. 

r  I  A,  rwp  A,  none  h //,p  V  (4.2) 

by  (str:None)  on  (1). 

Thus,  we  conclude. 

•  [9]  Immediate  by  applying  i.h.  and  (str:Intersection). 

Case  (str:Star)  We  have: 


r|A,Ao*Aih//  (1) 

A,Ao*Ai<:A'  (2) 

by  hypothesis. 

r|A,Ao,Aih//  (3) 

by  inversion  on  (str:Star)  on  (1). 

by  (Subtyping  Inversion  Lemma)  on  (2)  we  have  that  either: 

•  [1]  A'  =  A,Ao*Ai  (1.1) 

Thus,  we  conclude  by  (1). 

•  [3]  A'  =  A",A  and 

A  <:  A^  (2.1) 

Ao  *  Ai  <:  A  (2.2) 

By  (Subtyping  Inversion  Lemma)  on  (2.2)  we  have  that  either: 

(Note:  cases  [1],  [14]  and  [17]  are  straightforward) 

^  [1^)]  A  =  Ai  *Ao 

A'  =  A",Ai*Ao  (2.3) 

by  rewriting  hypothesis. 

A^,Ai  *Ao  <:  W^,Ai,Ao  (2.4) 

by  (sd:Star)  on  (2.3). 

T]  A^,Ao,Ai  h  7/  (2.5) 


by  induction  hypothesis  on  (3)  with  (2.1). 
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r  I  Is." ,  A\, Aq  h  H 


(2.6) 

since  A  is  a  set,  re-ordering  is  allowed. 


Thus,  we  eonclude  by  (2.6). 
o  {\2{by\  A  =  Aq*  A2  and  Ai  <:  A2 


A'  =  A,Ao*A2  (3.1) 

by  rewriting  hypothesis. 

A,Ao  *  A2  <:  A,Ao,A2  (3.2) 

by  (sd:Star)  on  (3.1). 

r|A,Ao,A2h//  (3.3) 

by  induetion  hypothesis  on  (3)  with  Ai  <:  A2. 

Thus,  we  eonclude. 

^  [12(c)]  if  Ao  =  a;  *  A"  then  A  =  A^  *  (A"  *  Aj) 

A'  =  a,(a;*a")*Ai  (4.1) 

n  A,(A' *A"),Ai  h//  (4.2) 

by  rewriting  hypothesis. 

r|A,Ai,(A' *A")h//  (4.3) 

sinee  A  is  a  set,  re-ordering  is  allowed  on  (4.2). 

r|  A,Ai,A;,A"  h//  (4.4) 

by  (Store  Typing  Inversion  Lemma)  on  (4.3). 

r|  A,A',A",Ai  h//  (4.5) 

since  A  is  a  set,  re-ordering  is  allowed  on  (4.4). 

f  |A,A',(A"*Ai)h//  (4.6) 

by  (str:Star)  on  (4.5). 

f  |A,A' *(A"*Ai)h//  (4.7) 

by  (str:Star)  on  (4.6). 

Thus,  we  eonclude. 

.[5]  A'  =  A,Ao,Ai. 

Thus,  we  conclude  by  (3). 

•  [7]  A'  =  A,  none. 


Thus,  we  eonelude  by  (str:None)  on  (1). 

•  [9]  Immediate  by  applying  i.h.  and  (strTntersection). 

Case  (str:None)  We  have: 

T  I  A,  none  h  7/  (1) 

A,  none  <:  A'  (2) 

by  hypothesis. 

f  I  A  h  7/  (3) 

by  inversion  on  (str:Star)  on  (1). 
By  (Subtyping  Inversion  Lemma)  on  (2),  we  have  that  either: 

•  [I]  A'  =  A,  none 
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Thus,  we  conclude  by  (1). 

•  [6]  A'  =  A 

Thus,  we  conclude  by  (3). 

•  [7]  A'  =  A,  none,  none 

Thus,  we  conclude  by  (str:None)  on  (1). 

•  [9]  Immediate  by  applying  i.h.  and  (strTntersection). 

Case  (str: Alternative)  We  have: 


r|A,Ao©Ai^//  (1) 

A,Ao©Ai<:A'  (2) 

by  hypothesis. 

By  (Subtyping  Inversion  Lemma)  on  (2),  we  have  that  either: 

(Note:  as  before,  we  are  omitting  case  [4]  since  it  is  straightforward) 

•  [I]  A' =  A,Ao©Ai  (LI) 

Thus,  we  conclude  by  (1). 

•  P]A^=Ao,A  (2.1) 

A  <:  Ao  (2.2) 

Ao©Ai  <:A  (2.3) 

by  sub-case  hypothesis. 

A  =  Ao©Ai  (2.4) 

by  (Subtyping  Inversion  Lemma)  case  [I]  on  (2.3) . 

(Note:  we  are  omitting  cases  [14]  and  [17]  since  they  are  straightforward) 

By  inversion  on  (I)  we  have  that  either: 

^r|A,A^h//  (2.5) 

A,Ao  <:  Ao,Ao  (2.6) 

by  (sd:Type)  on  (2.2)  and  (st:Symmetry)  with  Aq. 
f|Ao,Aoh//  (2.7) 

by  induction  hypothesis  on  (2.5)  and  (2.6). 

r|  Ao,Ao©Ai  h //  (2.8) 

by  (str: Alternative)  on  (2.7). 

Thus,  we  conclude. 

or|A,Aih//  (2.9) 

Analogous  to  the  previous  case,  noting  that  ©  is  commutative. 

•  [7]  A' =  A,Ao  ©Ai,  none  (3.1) 

Thus,  we  conclude  by  (str:None)  on  (1). 

^[8]  A,Ao  <:  A'  (4.1) 

A,Ai  <:  A'  (4.2) 


by  sub-case  hypothesis. 

By  inversion  on  (1)  we  have  that  either: 
o  T  I  A,Ao  h  H 
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(4.3) 


r  I  A'  h  // 


(4.4) 

by  induction  hypothesis  on  (4.1)  and  sub-case  hypothesis, 
o  r  I  A,Ai  h  H  (4.5) 

Analogous  to  the  previous  case,  using  (4.2). 

•  [9]  Immediate  by  applying  i.h.  and  (str:Intersection). 

Case  (str:Intersection)  We  have: 

r|A,Ai&A2^//  (1) 

A,Ai&A2  <:  A'  (2) 

by  hypothesis. 

r|A,Aih//  (3) 

r|A,A2h//  (4) 

by  inversion  on  (str:Intersection)  with  (1). 
By  (Subtyping  Inversion  Lemma)  on  (2),  we  have  that  either: 

•  [1]  Symmetry  case  is  immediate.  (1.1) 

^[3]W  =  A^,A3  (3.1) 

A  <:  A"  (3.2) 

A1&A2  <:  A3  (3.3) 

Then,  by  (Subtyping  Inversion  Lemma)  on  (3.3)  (and  since  &  is  commutative), 

we  have  that  either: 

o[16]Ai=A3  (3.4) 

Thus,  we  conclude  by  (3). 

o[16]A2=A3  (3.5) 

Thus,  we  conclude  by  (4). 

o[1]Ai&A2=A3  (3.6) 

Thus,  we  conclude  by  (1). 

o  [17]  A1&A2  =  Ai&A2©A4  (3.7) 

Thus,  we  conclude  by  (1)  with  (str:Alternative). 

•  [7]  Analogous  to  previous  cases.  (7.1) 

•  [9]  A' =  A,Ai&A2  (9.1) 

Thus,  we  conclude  by  (1). 

Case  (str:Share)  We  have: 

r|A,Ai,A2^//  (1) 

A,Ai,A2  <:  A'  (2) 

by  hypothesis. 

Aq  ^  Aj  II  A2  (3) 

f|A,Aoh//  (4) 

by  inversion  on  (str:Share)  with  (1). 
By  (Subtyping  Inversion  Lemma)  on  (2),  we  have  that  either: 
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•  [1]  A'  =  A,Ai,A2 

Thus,  we  conclude  by  (1). 
^[3]  ^  =  a^,a;,a' 

A  <:  A" 

Ai  <:  a; 

A2  <:  A'2 


Aq  <:  Aq 
A,Ao  <:  A",Ao 
f  I  A^,Aoh// 


Aq  ^  Aj  II  A'2 


r|AAA;,A' h// 


(1.1) 

by  sub-case  hypothesis. 

(2.1) 

(2.2) 

(2.3) 

(2.4) 


by  sub-case  hypothesis  (merging  both  cases). 

(2.5) 

by  (st:Symmetry)  on  Aq. 

(2.6) 

by  (sd:Type)  on  (2.5)  and  (2.2). 

(2.7) 

by  induction  hypothesis  on  (4)  with  (2.6). 

(2.8) 

by  (step:Subsumption)  and  (Protocol  Conformance  Preservation)  with  (3). 

(2.9) 

by  (str:Share)  with  (2.8)  and  (2.9). 


Thus,  we  conclude. 

•  [4(a)]  by  (str:Star)  with  (1). 

•  [4()?)/(c)]  analogous  to  [3(*)]  cases. 

•  [7]  by  (str:None)  with  (1). 

•  [9]  Immediate  by  applying  i.h.  and  (strTntersection). 
Thus,  we  conclude. 


Case  (sTRrDEFOCus)  Analogous  to  the  previous  case,  since  the  only  subtyping  rule  applicable  to  a 
defocus-guarantees  is  the  symmetry  case. 


□ 
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Lemma  5  (Store  Typing  Extension). 

r  I  Aq  ®—  Ai  h  Hq,  H\ 

if  and  only  if 

r  I  Ao  A';  h  Ho  a;  =  Ai  \  a;  f  i  Ao  h  //q  f  i  a;  h  //i 

The  above  implies,  when  read  from  top  to  bottom,  that  we  can  separate  the  heap  in  two  parts 
(Ho  and  Hi)  such  that  each  is  supported  by  the  two  typing  environments  independently.  Since  there 
is  the  possibility  of  sharing,  any  element  that  is  common  to  both  Aq  and  Aj  will  be  supported  by 
the  heap  Ho.  Therefore,  we  use  the  previous  definition  of  A  \  A,  but  raised  to  sets  of  types  (i.e. 
typing  environments),  to  extract  from  Ai  all  elements  that  will  only  be  supported  in  Ho- 

The  opposite  direction  is  simply  merging  the  typing  environments.  Also  note  that  we  are  using 
a  definition  of  Aq  \  Ai  that  never  rearranges  elements  inside  a  defocus-guarantee.  Therefore,  Ai 
elements  are  all  with  the  same  relative  defocus-guarantee  depth  as  in  A j . 

Proof.  We  expand  the  steps  of  the  proof  to  clarify  the  reasoning.  We  have  the  two  sub-cases: 

•  Up  sub-case: 

The  up  case  is  immediate  since  we  are  just  merging  two  disjoint  heaps,  while  assuming  that 
the  non-separate  parts  already  conform.  The  crucial  step  is: 

(1) 

First,  note  that  A"  can  only  include  parts  of  the  heap  (Ho)  that  are  shared  because  of  T  |  Aq  h 
Ho,  as  otherwise  Ho  would  have  elements  that  are  not  supported  by  Aq  alone.  Therefore, 
(1)  is  only  “pushing”  shared  parts  into  Ai.  Note  that  Ho  simultaneously  supports  two  typing 
environments  one  that  may  and  another  that  may  not  include  those  additional  shared  parts 
(that  must  only  be  rely-guarantee  protocols).  As  state  in  the  definition  of  A  \  A,  our  protocol 
conformance  definition  enables  them  to  work  not  only  alone  but  also  when  other  protocols  to 
that  same  state  may  not  be  present.  This  corresponds  to  apparently  “useless”  steps  that  only 
gain  meaning  when  conformance  is  seen  together  with  those  hidden  protocols.  Therefore, 
by  having  the  two  store  typing  constrains  on  Ho  both  with  and  without  A",  we  are  sure  to 
correctly  assume  they  remain  valid  in  those  two  situations. 

Now  the  position  on  where  these  are  placed  does  not  compromise  store  typing:  if  A"  does  not 
hold  any  defocus-guarantee,  then  the  conclusion  is  immediate  since  the  shared  type  is  known 
to  be  consistent  with  the  heap  from  T  |  Aq  ®-  A"  h  Ho,  if  it  did  hold  some  defocus-guarantee, 
then  it  could  potentially  re-order  or  cause  a  rearrangement  in  the  list  of  defocus-guarantees 
of  Ai.  However,  such  case  does  not  compromise  store  typing  since  it  refers  disjoint  shared 
types.  Consequently,  the  order  is  not  important  since  the  defocus-guarantee  still  obeys  its 
purpose  of  forbidding  access  to  shared  types  whose  underlying  state  is  inconsistent — even 
if  they  are  only  accessible  from  a  very  conservative  defocus  depth  such  does  not  break  store 
typing  by  (str:Defocus),  since  that  rule  uses  an  arbitrary  depth  for  the  other  parts  of  the 
protocol.  All  the  elements  of  Ai  that  have  non-shared  types  are  immediate  since  they  directly 
obey  store  typing  through  (str:Binding). 

Thus,  we  conclude. 
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•  Down  sub-case: 

By  the  definition  of  ®-  we  can  break  each  environment  in  two  sub-components  on  whether 
they  have  non-shared  types  (n)  or  when  they  may  have  shared  types  (5): 


A„ 

(2) 

s 

(3) 

Therefore,  we  can  pick  Hq  and  Hi  such  that  we  are  able  to  partition  the  two  linear  envi¬ 
ronments  into  parts  that  only  refer  each  one  independently.  However,  there  may  be  shared 
types  which  could  then  appear  on  both  typing  environments.  By  making  all  shared  parts,  that 
are  common  to  both  environments,  fall  into  Hq  we  can  easily  see  that  T  |  Aq  l-  //q  since  all 
protocols  also  work  alone  (also  note  that  such  operation  can  never  exposed  shared  types  that 
should  remain  hidden  due  to  focus).  Then,  if  we  pick  the  parts  of  Ai^  that  also  depend  on 
Hq  by:  A(  =  Ai  \  A"  we  must  immediately  T  |  Aq  ®-  A"  h  Hq  because  A"  must  only  contain 
shared  types  and  those  rely-guarantee  protocols  are  either  defocused  and,  therefore,  ready  to 
be  used  by  hypothesis  or,  if  they  correspond  to  an  already  focused  state  then  there  must  be  a 
defocus-guarantee  in  Aq  that  will  hide  them  (since  otherwise  we  could  just  push  that  part  of 
the  state  to  Hi)  and,  by  (str:Defocus)  we  know  that  the  protocols  must  still  conform  when 
we  consider  the  expected  guarantee.  Therefore,  we  conclude  since  the  environment  linked 
to  Hi  obeys  store  typing  by  hypothesis.  Note,  however,  that  by  (1),  we  may  gain  access  to 
shared  types  of  Hi  that  before  were  being  conservatively  hidden  behind  a  defocus-guarantee 
but  now  that  the  environments  are  separate  they  no  longer  are.  This  does  not  violate  store 
typing  since  those  elements  were  obeying  it  by  hypothesis  (without  requiring  (str:Defocus)) 
and  must  refer  disjoint  parts  of  the  heap. 


□ 
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B.5  Values  Inversion  Lemma 

Lemma  6  (Values  Inversion  Lemma).  If  v  is  a  value  such  that: 

r  I  A  h  V  :  Aq  h  • 

then  one  of  the  following  holds: 

1 .  if  Ao  =  []  then:  ^  ^ 

A  =  •  f  I  •  h  V  :  []  H  • 

2.  if  Ao  =  !Ai  then:  ^  ^ 

A  =  •  r I • h  V  :  A\  H  • 

3.  if  Aq  =  Ai  ::  A2  then:  ^ 

r  I  A  h  V  :  Aj  H  A2 

4.  if  Aq  =  ref  p  then: 

V  =  p  p:loc6r  A  =  - 

5.  if  Aq  =  A  -o  A'  then: 

A  <:  A"  V  =  fun(v  :  A”).e  Y  \  ,x  :  A"  \-  e  :  A'  A  ■ 


6.  if  Aq  =  Vt.A  then:  ^  ^ 

V  =  {t)e  r,  t :  loc  \  \-  e  :  A  A  • 

7.  if  Aq  =  3t.A  then:  ^  ^ 

V  =  {p,v')  r  I  A  h  v'  :  A{p/t}  A  ■ 

8.  if  Aq  =  [f  :  A]  then: 

V  =  {f  =  V'}  f  I  A  h  v'  :  Ah  • 

(Note  that,  although  the  record  value  can  have  more  fields  than  those  that  are  listed  in  the 
type,  only  the  fields  that  are  in  the  type  will  appear  in  the  inversion.) 

9.  ifAo  =  VXAthen:  _  _ 

V  =  (X)  e  r,  A  :  type  |A‘^i-e:AH- 

10.  ifAo  =  BXAthen:  _ 

v  =  (A',v)  r|  Ah  V  :A{A7A}  H  • 

11.  if  Aq  =  2;  then:  ^  ^ 

V  =  li#Vi  r  I  A  h  V,  :  Ah  • 

for  some  i. 
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12.  if  Aq  =  rec  X.A  then 


r  I  A  h  V  :  A{rec  XA/X]  H  • 

13.  if  A  =  A',Ai  ©A2  then 

r  I  A',Ai  h  V  :  Aq  H  •  r  I  A',A2  I-  V  :  Aq  h  • 

14.  if  Aq  =  Ai  ©  A2  then  either 

r|Al-v:AiH-  or  r|Al-v:A2H- 


Note  that  A&A'  does  not  appear  here  since  it  is  a  capability  (i.e.  just  gets  stacked  on  top  of  some 
value)  and  subtyping  ensures  its  elimination. 

Proof.  By  induction  on  the  derivation  of  F  |  A  h  v  :  Aq  H  •. 

Case  (t:Ref)  -  We  have: 

r,p  :  loc  I  •  h  p  :  ref  pH-  (1) 

by  hypothesis. 

Thus,  we  conclude  by  case  4  of  the  definition. 

Case  (t:Pure)  -  We  have: 

r|-hv:!AiH-  (1) 

by  hypothesis. 

r  I  •  h  V  :  Ai  H  •  (2) 

by  inversion  on  (t:Pure). 

Thus,  we  conclude  by  case  2  of  the  definition. 

Case  (t:Unit)  -  We  have: 

r|-hv:[]H-  (1) 

by  hypothesis. 

Thus,  we  conclude  by  case  1  of  the  definition. 

Case  (t:Pure-Read),  (t:Linear-Read),  (t:Pure-Elim),  (t:New)  -  Not  applicable. 

Case  (t:Delete),  (t:Assign),  (tiDereference-Linear),  (t: Dereference- Pure)  -  Not  applicable. 
Case  (t:Record)  -  We  have: 

f|Ah{£^}:[^]H-  (1) 

by  hypothesis. 

f  I  A  h  V,-  :  Ah  •  (2) 

by  inversion  on  (t:Record). 

Thus,  we  conclude  by  case  8  of  the  definition. 
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Case  (t: Selection),  (t: Application)  -  Not  applicable. 

Case  (t:Function)  -  We  have: 

r  I  h  fun(A: :  Ao).e  :  Aq  ^  Ai  H  •  (1) 

by  hypothesis. 

r  I  A^,  X  :  Ao  e  :  Ai  -\  ■  (2) 

by  inversion  on  (t:Function). 

Aq  <:  Aq  (3) 

by  (st:Symmetry)  with  Aq. 

Thus,  we  conclude  by  case  5  of  the  definition. 

Case  (t:Cap-Elim)  -  Not  applicable. 

Case  (t: Cap- Stack)  -  We  have: 

f  I  Ahv:Ao  ::Ai  H  •  (1) 

by  hypothesis. 

r  I  A  h  V  :  Ao  H  Ai  (2) 

by  inversion  on  (t:Cap-Stack). 

Thus,  we  conclude  by  case  3  of  the  definition. 

Case  (t:Cap-Unstack),  (t:Application)  -  Not  applicable. 

Case  (t:Forall-Loc)  We  have: 

r|  A^  h  :  Vt.A  H  •  (1) 

by  hypothesis. 

f  ,  t :  loc  I  A^  h  e  :  A  H  •  (2) 

by  inversion  on  (t:Forall-Loc)  with  (1). 

Thus,  we  conclude  by  case  6  of  the  definition. 

Case  (t:Loc-App)  Not  applicable. 

Case  (t:Loc-Pack)  We  have: 

FI  Ah  <p,v)  :  3t.A  H  •  (1) 

by  hypothesis. 

f  I  A  h  V  :  A{p/t}  H  •  (2) 

by  inversion  on  (t:Loc-Pack)  with  (1). 

Thus,  we  conclude  by  case  7  of  the  definition. 

Case  (t:Loc-Open)  Not  applicable. 
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Case  (t:Forall-Type)  We  have: 


r  I  h  <X)e  :  VX.A  H  •  (1) 

by  hypothesis. 

r,X  :  type  I  h  e  :  A  H  •  (2) 

by  inversion  on  (t:Forall-Loc)  with  (1). 

Thus,  we  conclude  by  case  9  of  the  definition. 

Case  (t:Type-App)  Not  applicable. 

Case  (t:Type-Pack)  We  have: 

r|Ah<Ao,v):3XAiH-  (1) 

by  hypothesis. 

r|Ahv:Ai{Ao/X}H-  (2) 

by  inversion  on  (t:Type-Pack)  with  (1). 

Thus,  we  conclude  by  case  10  of  the  definition. 

Case  (t:Type-Open)  Not  applicable. 

Case  (t:Tag)  We  have: 

f  I  A  h  l#v  :  IM  H  •  (1) 

by  hypothesis. 

T  I  A  h  V  :  A  H  •  (2) 

by  inversion  on  (t:Tag). 

Thus,  we  conclude  by  case  1 1  of  the  definition. 

Case  (t:Case)  Not  applicable. 

Case  (t:Alternative-Left)  We  have: 

T  I  A,Ao  ©  Aj  h  V  :  A2  H  ■  (1) 

by  hypothesis. 

r|A,Aohv:A2H-  (2) 

r|A,Ai  hv:A2H-  (3) 

by  inversion  on  (x: Alternative-Left). 

Thus,  we  conclude  by  case  13  of  the  definition. 

Case  (t:Frame)  Not  applicable,  A  environment  on  right  is  empty,  otherwise  direct  application  of 
induction  hypothesis. 

Case  (t: Subsumption)  We  have: 
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M)  >} 


r  I  A  h  V  *  Ai  H  • 


(1) 

by  hypothesis. 


<^A'  (2) 

I  A'  h  V  :  Aq  H  •  (3) 

)  <:  Ai  (4) 

•  <:  •  (5) 

by  inversion  on  (t: Subsumption). 

By  induction  hypothesis  on  (3)  we  have  that  one  of  the  following  holds: 

1.  if  Aq  =  []  then: 

A'  =  •  (1.1) 

r|-hv:[]H-  (1.2) 

[]<:Ai  (1.3) 

by  case  1  of  the  hypothesis  and  rewriting  (4). 
Then,  by  (Subtyping  Inversion  Lemma)  on  (1.3)  we  have  that  either: 

•  [1]  =  []  (1.4) 

and  we  conclude  as  case  1  of  the  definition. 

.  [5(c)]  Ai  =![]  (1.5) 

and  we  conclude  as  case  2  of  the  definition. 

•  [17]Ai  =  []©A'  (1.6) 

and  we  conclude  as  case  14  of  the  definition  using  (3). 


2.  if  Aq  =  !A  then: 


A'  =  • 

(2.1) 

f  |•hv:A^• 

(2.2) 

!A  <:  Ai 

(2.3) 

by  case  2  of  the  hypothesis  and  rewriting  (4). 

by  (Subtyping  Inversion  Lemma)  on  (2.3)  we  have  that  either: 

•  [I]  Ai  =  !A 

Thus,  we  conclude  by  case  2  of  the  definition  through  (2.2). 
.[2(a)]  Ai  =A 

Thus,  we  conclude  by  induction  hypothesis  on  (2.2). 

•  [2(b)]  Ai  =!A'  and  A  <:  A' 
f  1  •  h  V  :  A'  H  • 

(2.4) 

by  (t:  Sub  sumption)  on  (2.2)  with  A  <:  A'. 

Thus,  we  conclude  by  case  2  of  the  definition  with  (2.4). 

.[2(c)]  Ai  =![] 

T  1  •  h  V  :  []  H  • 

(2.5) 

by  (t:Unit)  on  v. 

Thus,  we  conclude  by  case  2  of  the  definition. 

.  [17]  Ai  =  !A©A' 

(2.6) 
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and  we  conclude  as  case  14  of  the  definition  using  (3). 


3.  if  Ao  =  A  -o  A'  then: 

V  =  fun(^  :  A).e  (3.1) 

f  |A'^^:Ahe:A'H-  (3.2) 

A^A'cAi  (3.3) 

by  case  5  of  the  hypothesis  and  rewriting  (4). 
by  (Subtyping  Inversion  Lemma)  on  (3.3)  we  have  that: 

(Note:  we  omit  the  remaining  cases  since  they  are  straightforward) 

Ai  =  A"  ^  A'"  (3.4) 

A'  <:  A'"  (3.5) 

A"  <:  A  (3.6) 

r|  :  A  h  e  :  A'"  H  •  (3.7) 

by  (t: Subsumption)  on  (3.2)  and  (3.5) 
f  I  A^jc :  A  h  e  :  A'"  H  •  (3.8) 

by  (t:  Sub  sumption)  on  (3.7)  and  (sd:Var)  with  (2). 
(a  defocus-guarantee  can  never  be  introduced  by  subtyping,  thus  A*^) 
Thus,  with  (3.8),  (3.6)  and  (3.1)  we  conclude  by  case  5  of  the  definition. 

4.  if  Ao  =  A  ::  A'  then: 

r|A'hv:AHA'  (4.1) 

A  ::  A!  <:  Ai  (4.2) 

by  case  3  of  the  hypothesis  and  rewriting  (4). 
by  (Subtyping  Inversion  Lemma)  on  (4.2)  we  have  that: 

(Note:  we  omit  the  remaining  cases  since  they  are  straightforward) 

Ai=A"::A'"  (4.3) 

A  <:  A"  (4.4) 

A'  <:  A'"  (4.5) 

r  I  A  h  V  :  A"  H  A!"  (4.6) 

by  (t:Subsumption)  on  (4.1)  with  (4.4)  and  (4.5). 
Thus,  we  conclude  by  case  3  of  the  definition. 


5.  if  Ao  =  [f  :  A]  then: 

v  =  {f^}  (5.1) 

f  I  A'  h  v'  :  Ah  •  (5.2) 

[JTA]  <:  Ai  (5.5) 

by  case  8  of  the  hypothesis  and  rewriting  (4). 
by  (Subtyping  Inversion  Lemma)  on  (5.5)  we  have  that  either: 
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(5.6) 

(5.7) 


(Note:  the  remaining  [1]  and  [17]  cases  are  straightforward) 

•  [5(b)]  Ao  =  [JTa  ,  £;  :  A']  and 

=  [f  :  A  ,  :  A"] 

A'  <:  A" 

Thus,  by  (x: Subsumption)  on  (5.2)  and  (5.7)  we  conclude  by  case  8  of  the  definition. 

•  [5(a)]  Ao  =  [£7a,  fi  :  A]  and 
Ai  =  [£  :  A]  and  i  >  0. 

Thus,  by  (t:Record)  with  (5.1)  and  ignoring  the  dropped  field,  we  conclude  by  case  8 
of  the  definition.  Note  that  all  fields  have  the  same  effect  and  by  /  >  0  we  ensure  that 
subtyping  leaves  at  least  one  field  to  do  such  effect. 


•  [5(c)]  Ao  =  [£  :  !A]  and 

Ai  =![£:!A]  (5.8) 

T  I  A'  h  v'  :  !A,-  H  •  (5.9) 

by  rewriting  (5.2)  with  (5.8). 

f|-hv;:!AH-  (5.10) 

by  induction  hypothesis  on  (5.9),  note  the  !  type. 
T  I  •  h  {£  =  V'}  :  [£  :  !A]  H  •  (5.11) 

by  (t:Record)  on  (5.9). 


Thus,  we  conclude  by  case  2  of  the  definition. 
6.  if  Ao  =  3t.A  then: 


v=^p,v')  (6.1) 

T  I  A'  h  v'  :  A{p/t}  H  •  (6.2) 

3tA  <:  A]  (6.3) 

by  case  7  of  the  hypothesis  and  rewriting  (4). 
by  (Subtyping  Inversion  Lemma)  on  (6.3)  we  have  that: 

(Note:  the  remaining  [1]  and  [17]  cases  are  straightforward) 

Ai  =  3t.A'  (6.4) 

A  <c  A'  (6.5) 

T  I  A  h  v'  :  A'{p/t}  H  •  (6.6) 


by  (t:Subsumption)  on  (6.2)  and  (6.5). 

Thus,  we  conclude  by  case  7  of  the  definition. 


7.  if  Ao  =  Vt.A  then: 
v  =  {t)e 

—  —G 

T,  t :  loc  I  A'  h  c  :  A  H  • 
Vt.A  <:  Ai 
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(7.1) 

(7.2) 

(7.3) 


by  case  6  of  the  hypothesis  and  rewriting  (4). 
by  (Subtyping  Inversion  Lemma)  on  (7.3)  we  have  that: 

(Note:  the  remaining  [1]  and  [17]  cases  are  straightforward) 

Ai  =  (7.4) 

A  <:  A'  (7.5) 

f,t :  loc  I  h  e  :  A' H  •  (7.2) 

by  (t: Subsumption)  on  (7.2)  and  (7.5). 
(note  that  a  defocus-guarantee  cannot  be  introduced  by  subtyping) 
Thus,  we  conclude  by  case  6  of  the  definition. 


8.  if  Aq  =  ref p  then: 


v=p  ^  (8.1) 

p:loc6r  (8.2) 

A  =  •  (8.3) 

refpcAi  (8.4) 


by  case  4  of  the  hypothesis  and  rewriting  (4). 
(Note:  the  remaining  [1]  and  [17]  cases  are  straightforward) 
by  (Subtyping  Inversion  Lemma)  on  (8.4)  we  have: 

•  [11]  Al  =!(refp) 

Thus,  we  conclude  by  case  2  of  the  definition. 

9.  if  Ao  =  3XA,  analogous  to  3t.A. 

10.  if  Ao  =  VXA,  analogous  to  Vt.A. 


11.  if  Ao  =  then: 

v=^;#v,-  (11.1) 

r|  A' h  V,- :A;  H  •  (11.2) 

for  some  i. 

Z,1,#A;<:Ai  (11.3) 

(Note:  the  remaining  [1]  and  [17]  cases  are  straightforward) 
by  (Subtyping  Inversion  Lemma)  on  (8.4)  we  have  that: 

Al  =  l'#A' +  2;  W;  (11.4) 

Thus,  by  (1 1.2)  we  conclude  by  case  1 1  of  the  definition. 

12.  if  Ao  =  rec  X.A  then: 

T  I  A'  h  V  :  A(rec  XA/X}  H  •  (12.1) 

recXAcAi  (12.2) 


by  case  12  of  the  hypothesis  and  rewriting  (4). 
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(Note:  the  remaining  [1]  and  [17]  cases  are  straightforward) 
by  (Subtyping  Inversion  Lemma)  on  (12.2)  we  have  that  either: 

•  [15(a)]  A1  =  rec  XA  and  A  <:  A' 

r  I  A  h  V  :  A'jrec  XA'/X]  H  •  (12.3) 

by  (t: Subsumption)  on  (12.1). 

Thus,  we  conclude  by  case  12  of  the  definition. 

•  [15(b)]  A1  =  AjA/recXA) 

Thus,  we  conclude  by  induction  hypothesis  on  (12.1)  combined  with 
(t:Subsumption)  on  each  case. 


13.  if  A  =  A',A2  ©A3  then: 

£1  A',A2  h  V  :  Ao  H  •  (13.1) 

r|A',A3hv:AoH-  (13.2) 

AocAi  (13.3) 

By  induction  hypothesis  on  each  case  and  then  (t:Subsumption). 

14.  if  Ao  =  Ai  ©  A2  then  either: 

f|A'hv:AiH-  (14.1) 

f|A'hv:A2H-  (14.2) 

and: 

Ai©A2<:A'  (14.3) 


This  case  is  analogous  to  previous  ones  by  applying  (Subtyping  Inversion  Lemma)  on 
(14.3)  yielding  cases  [1]  and  [17].  The  first  is  immediate,  the  second  is  closed  by 
considering  either  (14.1)  or  (14.2)  through  (t:Subsumption). 

Case  (t:Let),  (t:Share),  (t:Focus-Rely),  (t: Defocus- Guarantee)  Not  values. 

□ 
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B.6  Substitution 


For  clarity,  substitution  is  defined  on  constructs  that  allow  expressions  even  though  our  grammar 
(in  some  places)  only  allows  values  since  such  difference  has  no  impact  in  the  following  definitions 
and  is  generally  more  readable. 

1.  Variable  Substitution,  (vs:*) 

We  define  the  usual  capture- avoiding  (i.e.  up  to  renaming  of  bounded  variables)  substitution 
rules: 

eo{v/v}  =  e\ 


(vs:l) 

p{v/x) 

(vs:2) 

x{v/x) 

(vs:3) 

xo{v/xi) 

(vs:4) 

(fun(xo  :  A).eo){v/xi) 

(vs:5) 

{f  -  e}[vlx) 

(vs:6) 

(e.f){v/x) 

(vs:7) 

(co  ci){v/x) 

(vs:8) 

(new  e)[vjx} 

(vs:9) 

(delete  c){v/x) 

(vs:  10) 

(!c){v/x) 

(vs:ll) 

(co  ci){v/x) 

(vs:12) 

{p,e)  (v/x) 

(vs:13) 

c[p]{v/x) 

(vs:  14) 

{{t)  c){v/x) 

(vs:15) 

(open  (f,xo>  -  Co  in  end){v/xi) 

(vs:16) 

(A,c) (v/x) 

(vs:17) 

c[A]{v/x) 

(vs:18) 

{{X)  c){v/x) 

(vs:19) 

(open  {X,xq)  -  Co  in  ci  end){v/xi) 

(vs:20) 

(l#c){v/x) 

(vs:21) 

(case  c  of  l;#x,-  ^  c,-  end){v/x) 

(vs:22) 

(let  Xo  -  Co  in  ci  end){v/xi) 

(vs:23) 

(share  Ao  as  Ai  ||  A2){v/x) 

(vs:24) 

(focus  A){v/x) 

(vs:25) 

defocus{v/x) 

P 

V 

xo  (VO  7^  Xl) 

fun(xo  :  A).eo{v/xi)  (xq  xi) 

{£  =  e{v/x}} 

e{v/x}.£ 

colv/x)  eiivjx) 

new  e[vlx} 

delete  c{v/x) 

\e[vlx) 

eoivjx}  ■-  e\{vlx} 

{p,e{vlx}) 

e{vlx}[p] 

{t)e{vlx} 

open  <f,xo>  =  colv/xi)  in  ei[vlx\)  end  (xq  x\) 

<A,c{v/x)> 

c{v/x)[A] 

{X)  e{v/x) 

open  {X,xo)  -  colv/xi)  in  ci{v/xi)  end  (xq  xi) 
l#e{v/x) 

case  c{v/x)  of  l,#x,  ^  cfiv/x)  end  (x,  x) 
let  Xo  =  co{v/xi)  in  ci{v/xi)  end  (xo  xi) 

share  Ao{v/x)  as  Ai{v/x)  ||  A2{v/x) 
focus  A{v/x) 
defocus 


2.  Location  Variable  Substitution,  (ls:*) 

Similarly,  we  define  location  substitution  (but  here  up  to  renaming  of  bounded  location  vari¬ 
ables)  as: 
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eoiplt]  =  ei 


(ls:1.1) 

pipit] 

(ls:1.2) 

xiplt) 

(ls:1.3) 

(fun(x  :  A).e){plt} 

(ls:1.4) 

l-h 

II 

(ls:1.5) 

{e.f){plt] 

(ls:1.6) 

(eo  ei){p/t] 

(ls:1.7) 

(new  e){p/t] 

(ls:1.8) 

(delete  e){p/t} 

(ls:1.9) 

Oe){p/t] 

(LSll.lO) 

(eo  :=  ei){p/t} 

(ls:1.11) 

(po,e)  ipi/t] 

(ls:1.12) 

e[po]{pi/t] 

(ls:1.13) 

{{to)e){p/ti} 

(ls:1.14) 

(open  {to,x)  =  eo  in  e\  end){;7/fi) 

(ls:1.15) 

{A,e)  ip/t] 

(ls:1.16) 

e[A]{p/t] 

(ls:1.17) 

((X)  e){p/t} 

(ls:1.18) 

(open  {X,x)  -  eo  in  ei  end)!;?/?) 

(ls:1.19) 

(l#e)lp/l} 

(ls:1.20) 

(case  e  of  ^  e,  end));?/?) 

(ls:1.21) 

(let  x  =  eo\n  ei  end));?/?) 

(ls:1.22) 

(share  Aq  as  Ai  ||  A2));?/?) 

(ls:1.23) 

(focus  A){p/t} 

(ls:1.24) 

defocus!;?/?) 

P 

X 

fun(x  :  A{plt}).e{plt} 

{f  ^  e{plt}} 
e{plt].i 
eoiplt)  eiipjt} 
new  e[plt} 
delete  e{plt} 

\e{plt} 

eoiplt)  —  eiiplt) 

{pQ{Pilt},e{pilt}) 

e{pilt}[po{pilt\] 

{ti)e{plti}  (to  ^  fi) 

open  {tQ,x)  =  eQ{plti]  in  ei{pltx]  end  (to  *  h) 
{A{plt},e{plt}) 
e[plt][A{plt\] 

{X)e{plt} 

open  {X,x)  -  eQ{plt}  in  e\[plt)  end 

'^Mplt]  _ 

case  e{plt}  of  ^  ei[plt}  end 
let  xq  =  e(){plt}  in  e\[plt)  end 
share  Mplt]  as  Ai{plt]  ||  A2{plt] 
focus  Af/j/r) 
defocus 
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A^iplt)  =  Ai 


(ls:2.1) 

pipit] 

(ls:2.2) 

tipit] 

(ls:2.3) 

toip/ti] 

(ls:2.4) 

(A){plt] 

(ls:2.5) 

(Ao  ^  Ai){plt] 

(ls:2.6) 

(Ao  ::  Ai){plt] 

(ls:2.7) 

[f  :  A]{plt] 

(ls:2.8) 

(V?o.A){p/?i) 

(ls:2.9) 

(3toA){plh] 

(ls:2.10) 

(ref  polipilt] 

(ls:2.12) 

(rwpo  A){pilt] 

(ls:2.13) 

(Ao*Ai){plt] 

(ls:2.14) 

(VA.A){p/?) 

(ls:2.15) 

(3XA){plt] 

(ls:2.16) 

Xipit] 

(ls:2.17) 

(rec  XA){plt] 

(ls:2.18) 

('Ll  l,#A0{p/?) 

(ls:2.19) 

(Ao©Ai){p/?) 

(ls:2.20) 

none{p/?) 

(ls:2.21) 

(Ao  ^  Ai){plt] 

(ls:2.22) 

(Ao;Ai){p/?) 

(ls:2.23) 

(Ao  &  Ai){p/?) 

^  P 
^  P 

-  tQ 

=  \A{plt} 

^  A^iplt]  ^  AApIt) 
=  Ao[plt]  ::  AApIt] 

^  [i\A{pltY\ 

^  'itoAipItx) 

^  3tQ.A{plti} 

=  Yt^poipilt] 

=  ry/  poipi  It)  A{p I  It] 
=  Ao{plt]*  AApjt] 

-  -iXAipIt] 

=  3XA{plt] 

-  X 

-  rec  XA{plt} 

=  I.iWAi{plt] 

=  Ao{plt]®Ax{plt} 

-  none 

^  Aoiplt]  ^  AApIt] 
=  Ao[pltY,Ai{plt} 

^  A^iplt]  ScAiipIt] 


(Jo  t\) 


(to  "J  ^l) 
(fo  ^  ^l) 


^o{plt}  =  Ti 


(ls:3.1)  -{pit}  ^  ■ 

(ls:3.2)  (Y,x  \  A){plt]  -  Y{plt],x  \  A{plt] 

(ls:3.3)  (YJa-AocApIti)  =  T[plti),to  Aoc  (fo  ^  fi) 
(ls:3.4)  (r,X  :  type)!;?/?)  ^  r{;?/?),X  :  type 


A(){p/?}  =  Ai 

(ls:4.1)  -{pit}  =  • 

(ls:4.2)  (A,  X  ■.  A){p ! t]  =  A{plt],x  ■.  A[plt] 

(ls:4.3)  (A,A){plt)  =  A[plt},A{plt) 

(ls:4.4)  (A,A>  M){plt]  =  A{plt],A{plt]>  M{plt] 

3.  Type  Variable  Substitution,  (xs:*) 

Finally,  we  define  type  substitution  (up  to  renaming  of  bounded  type  variables)  as 
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eo{AIX}  =  e, 


(ts:1.1) 

p{AIX} 

(ts:1.2) 

x{AIX] 

(ts:1.3) 

{\m{x  ■.  Ao).e){AilX\ 

(ts:1.4) 

{f  =  e}[AIX} 

(ts:1.5) 

{e.i){AIX] 

(ts:1.6) 

{eo  eA{AIX} 

(ts:1.7) 

(new  e)[AIX] 

(ts:1.8) 

(delete  e)[AIX} 

(ts:1.9) 

{\e){AIX\ 

(tsiI.IO) 

(eo  eA{AIX] 

(TSil.ll) 

{p,e)  {AIX} 

(ts:1.12) 

eVpMIX] 

(ts:1.13) 

{{t)e){AIX} 

(ts:1.14) 

(open  {t,x)  -  eo  in  ei  end){A/X) 

(ts:1.15) 

<Ao,e>  [AilX] 

(ts:1.16) 

4Ao]{Ai/X) 

(ts:1.17) 

«Xo>e){A/Xi) 

(ts:1.18) 

(open  {Xq,x)  =  eo  in  e:  end){A/Xi) 

(ts:1.19) 

a#e){A/X} 

(ts:1.20) 

(case  e  of  Ifixi  e,  end){A/X) 

(ts:1.21) 

(let  X  -  eo  in  end){A/X) 

(ts:1.22) 

(share  Aq  as  Ai  ||  A2){A/X} 

(ts:1.23) 

(focus  A'){AIX} 

(ts:1.24) 

defocus{A/X) 

P 

X 

fun(x:Ao{Ai/X)).e{Ai/X) 

{f  =  e[AIX)) 
e{AIX].i 
eoiAlX]  eAAlX] 
new  e{AIX} 
delete  e{A/X) 

\e{AIX\ 

eo{AIX\  :=ei{AIX] 

{p,e{AIX}) 

e{AIXm 

{t)e{AIX} 

open  {t,x)  =  eo{A/X)  in  eAAjX)  end 

{Ao{AdX\,e{AilX\) 

dAi/X)[Ao{Ai/X)] 

{Xo)e{AIXA  {Xq^ 

open  {Xq,x)  =  eo{A/Xi)  in  eAAjXi)  end  (Xq  + 
l#e{A/X) 

case  e{AIX}  of  ^  ei[AIX)  end 
let  xo  =  eo[AIX)  in  eAAjX)  end 
share  Aq[AIX}  as  AAAjX)  ||  A2{A/X) 
focus  A'{A/X) 
defocus 
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><l  ><l 


Ao{Ai/X}=A2 


(ts:2.1) 

p{A/A)  = 

P 

(ts:2.2) 

t{AIX]  = 

P 

(ts:2.3) 

X{AIX}  = 

A 

(ts:2.4) 

Ao{A/Ai)  = 

Ao 

(Ao  +  Ai) 

(ts:2.5) 

(!Ao){Ai/A)  = 

!Ao{Ai/A) 

(ts:2.6) 

(Ao  ^  Ai){A2/X)  = 

Ao{A2/A)  ^Ai{A2/A) 

(ts:2.7) 

(Ao  ::  Ai){A2/X)  = 

Ao{A2/A)  ::Ai{A2/A) 

(ts:2.8) 

[f:A]{Ao/X)  = 

[f  :  A{Ao/A)] 

(ts:2.9) 

(Vf.Ao){Ai/A)  = 

Vf.Ao{Ai/A) 

(ts:2.10) 

(3pAo){Ai/A)  = 

3pAo{Ai/A) 

(ts:2.11) 

(refp){A/A)  = 

ref  p 

(ts:2.13) 

(rwp  Ao){Ai/A)  = 

rwpAo{Ai/A) 

(ts:2.14) 

(Ao*Ai){A2/X)  = 

Ao{A2/A)*Ai{A2/A) 

(ts:2.15) 

(VAo.Ao){Ai/Ai)  = 

VAo.Ao{Ai/Ai) 

(Ao  +  Ai) 

(ts:2.16) 

(3Ao.Ao){Ai/Ai)  = 

3Ao.Ao{Ai/Ai) 

(Ao  ^  Ai) 

(ts:2.17)  (recXo.Ao){Ai/Xi)  = 

recAo.Ao{Ai/Ai) 

(Ao  ^  Ai) 

(ts:2.18) 

(Z;  1;#A0{A/A)  = 

Z;  1,#A,{A/A) 

(ts:2.19) 

(Ao©Ai){A/A)  = 

Ao{A/A)©Ai{A/A) 

(ts:2.20) 

none{A/A)  = 

none 

(ls:2.21) 

(Ao^Ai){A/A)  = 

Ao{A/A)^Ai{A/A) 

(ls:2.22) 

(Ao;Ai){A/A)  = 

Ao{A/A);Ai{A/A) 

(ls:2.23) 

(Ao&Ai){A/A)  = 

Ao{A/A)&Ai{A/A) 

ro{A/X}  =  Ti 

(ts:3.1) 

•{A/A)  - 

(ts:3.2) 

(r,x:Ao){Ai/A)  - 

r{Ai/A),x:Ao{Ai/A) 

(ts:3.3) 

(r,f :  loc){A/A)  - 

r{A/A),  t  :  loc 

(ts:3.4)  (r,Xo  :type){A/Xi)  - 

r{A/Ai),Ao  :  type 

(Ao  ^  Ai) 

Ao{A/X}  =  Ai 

(ts:4.1) 

•{A/A)  - 

(ts:4.2) 

(A,x:Ao){Ai/A)  - 

A{Ai/A),x:Ao{Ai/A) 

(ts:4.3) 

(A,Ao){Ai/A)  - 

A{Ai/A),Ao{Ai/A) 

(ts:4.4) 

(A,Ao>AO{Ai/A)  - 

A{Ai/A),Ao{Ai/A)>A'{Ai/A) 
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B.7  Free  Variables  Lemma 


Lemma  7  (Free  Variables  Lemma).  If  F  |  Aq, x  :  Aq\-  e  :  Ai  ls.i  and  x  6  £v(e)  then  x  i  Ai. 
fv(e)  A  “set  of  all  free  variables  inside  the  expression  e” 

Proof.  We  proeeed  by  induction  on  the  derivation  of  F  |  Aq,  x  :  Aq  \-  e  :  Ai  h  Ai  . 

Case  (t:Ref),  (t:Pure),  (t:Unit),  (t:Pure-Read)  -  A  is  empty. 

Case  (t:Linear-Read)  -  We  have: 


T  \  X  :  A  \-  X  :  A  -\  • 

X  6  fv(A) 

Therefore,  we  immediately  conclude  x  t 
Case  (t:Pure-Elim)  -  We  have: 


(1) 

(2) 

by  hypothesis. 


F  I  Aq,  X  :  !Ao  e  \  A\  Ai 
X  e  fv(e) 


(1) 
(2) 

by  hypothesis. 

(3) 

by  inversion  on  (t:Pure-Elim). 

(4) 

because  x  is  in  the  linear  environment  (and  cannot  appear  duplicated  in  A’s). 
Therefore,  we  conclude. 


T,x  :  Aq  \  Aq\-  e  :  Ai  H  Ai 
x€  Ay 


(Note:  the  case  when  x  is  not  the  one  use  in  the  (t:Pure-Elim)  rule  is  a  direct  application  of 
the  induction  hypothesis.) 


Case  (t:New)  -  We  have: 

F  I  Ao,  A  :  Aq  I-  new  v  :  3t.(ref  t ::  rw  t  A)  H  Ai 
A  6  fv(new  v) 

F  I  Ao,  A  :  Aq  I-  V  :  A  H  Ai 

A  6  £v(v) 

A  ^  Ai 

Therefore,  we  conclude. 


(1) 

(2) 

by  hypothesis. 

(3) 

by  inversion  on  (t:New)  with  (1). 

(4) 

[  £v(new  v)  =  £v(v)  ] 
by  definition  of  £v  and  (2). 

(5) 

by  induction  hypothesis  on  (3)  and  (4). 


Case  (t: Delete)  -  We  have: 
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r  I  Ao,  ;c :  Ao  I-  delete  v  :  3t.A  h  Aj 
^  6  fv(delete  v) 


r  I  Ao,;c :  Ao  I-  V  :  3?.(ref  t  v.ry/ 1  A)  Ai 
^  6  fv(v) 

x€  Ai 

Therefore,  we  conclude. 

Case  (t:Assign)  -  We  have: 


(1) 

(2) 

by  hypothesis. 

(3) 

by  inversion  on  (t:Delete)  with  (1). 

(4) 

[  fv(delete  v)  =  fv(v)  ] 
by  definition  of  fv  and  (2). 

(5) 

by  induction  hypothesis  on  (3)  and  (4). 


r  I  Ao,.r  :  A  h  Vo  :=  vi  :  Ai  H  A2,rwpAo  (1) 

V  e  fv(vo  :=  vi)  (2) 

by  hypothesis. 

r  I  Aq,  .r  :  a  h  Vi  :  Aq  h  Aj  (3) 

r  I  Ai  h  Vo  :  ref  p  H  A2,  rw  p  Ai  (4) 


by  inversion  on  (x: Assign)  with  (1). 
[  £v(vo  :=  vi)  =  £v(vo)  U  £v(vi)  ] 


Therefore,  we  have  the  following  possibilities: 

1.  a:  6  £v(vo)  A  X  i  £v(vi) 

(;c:A)eAi  (1.1) 

by  .r  ^  £v(vi). 

.r^A2,rwpAi  (1.2) 

by  induction  hypothesis  on  (4)  with  (1.1). 
.r^A2,rwpAo  (1.3) 

since  the  capability  trivially  obeys  the  restriction  (since  x  is  not  a  type). 

Thus,  we  conclude. 

2.  X  £  £v(vi)  A  X  i  £v(vo) 

xiAi  (2.1) 

by  induction  hypothesis  on  (3)  and  case  assumption. 

.r^A2,rwpAi  (2.2) 

by  (2.1)  and  (4). 

.r^A2,rwpAo  (2.3) 

since  the  capability  trivially  obeys  the  restriction  on  (2.2). 


Thus,  we  conclude. 

3.  a:  6  £v(vo)  A  x  £  £v(vi) 
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(3.1) 

by  induction  hypothesis  on  (3)  and  case  assumption. 

We  reach  a  contradiction  since  vq  is  well-typed  by  (4)  but  x  6  fv(vi)  contradicts  (3.1). 
Thus,  such  case  is  impossible  to  occur  in  a  well-typed  expression. 

Thus,  we  conclude. 

Case  (t: Dereference-Linear)  -  We  have: 


T  I  Ao,  A  :  Aq  I-  !v  :  A  H  Ai,  rw  p  [] 

A  6  fv(!v) 

T  I  Ao,  A  :  Ao  I-  V  :  ref  p  H  Ai, rw  p  A 

A  6  fv(v) 

A  ^  Ai,rw  p  A 
A  i  Ai,rw  p  [] 

Thus,  we  conclude. 


(1) 

(2) 


by  hypothesis. 

(3) 

by  inversion  on  (x: Dereference-Linear). 

[  £v(!v)  =  fv(v)  ] 

(4) 

by  definition  of  fv  and  (2). 

(5) 

by  induction  hypothesis  on  (3)  and  (4). 

(6) 

by  (5)  and  since  a  cannot  be  in  rw  p  []. 


Case  (t: Dereference-Pure)  -  We  have: 


T  I  Ao,  A  :  Ao  I-  !v  :  !Ai  H  Ai,rwp  !Ai 
A  6  £v(!v) 

r  I  Ao,  A  :  Ao  I-  V  :  ref  p  H  Ai,  rw  p  !Ai 

A  e  £v(v) 

A  ^  Ai,rw  p  !Ai 
Thus,  we  conclude. 


(1) 

(2) 

by  hypothesis. 

(3) 

by  inversion  on  (t:Dereference-Pure). 

[  £v(!e)  =  £v(v)  ] 

(4) 

by  definition  of  £v  and  (2). 

(5) 

by  induction  hypothesis  on  (3)  and  (4). 


Case  (t: Record)  -  We  have: 

r|A,A:Aoh{f^}:[fTA]H-  (1) 

a6£v({£  =  v})  (2) 

by  hypothesis. 

Therefore,  we  immediately  conclude  x  i  ■. 
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Case  (t: Selection)  -  We  have: 


r  I  Aq,  X  :  Aq\-  v.fi  :  Ai  H  Ai 
v:  6  £v(v.£) 

r  I  Ao,  :  Aq  I-  V  :  [f  :  A]  H  Ai 

6  £v(v) 
x€  Ai 

Thus,  we  conclude. 

Case  (t: Application)  -  We  have: 

r  I  Aq,  X  a  h  vq  Vi  '■  a  I  H  A2 
X  6  £v(Vo  Vi) 

r  I  Aq  h  Vq  :  Aq  — o  Aj  H  Aj 
r  I  A;  h  V\  :  Aq  H  A2 


(1) 

(2) 

by  hypothesis. 

(3) 

by  inversion  on  (t: Selection). 

[  £v(v.£)  =  £v(v)  ] 

(4) 

by  definition  of  £v  and  (2). 

(5) 

by  induction  hypothesis  on  (3)  and  (4). 


(1) 

(2) 

[  £v(vo  vi)  =  £v(vo)  U  £v(vi)  ] 
by  hypothesis. 

(3) 

(4) 

by  inversion  on  (t: Application)  with  (1). 


Therefore,  we  have  the  following  possibilities: 

1.  A  6  £v(vi)  A  X  i  £v(vo) 

T  I  Aq  h  Vq  :  Aq  -O  Ai  H  Ai  (1-1) 

Ai=A;,a:A  (1.2) 

by  A  ^  £v(vo). 

r|A;,A:Ahvi  :AoH  A2  (1.3) 

by  rewriting  (4)  with  (1.2). 

A  ^  A2  (1.4) 

by  induction  hypothesis  on  (1.3)  and  sub-case  hypothesis. 

Thus,  we  conclude. 

2.  A  e  £v(vo)  A  A  e  £v(vi) 

a^Ai  (2.1) 

by  induction  hypothesis  on  (3)  and  case  assumption. 


We  reach  a  contradiction  since  vi  is  well-typed  by  (4)  but  a  6  £v(vi)  contradicts  (2.1). 
Thus,  such  case  is  impossible  to  occur  in  a  well-typed  expression.  Therefore,  we  con¬ 
clude. 
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3.  X  e  fv(vo)  ^  X  i  fv(vi) 

xi^l  (3.1) 

by  induction  hypothesis  on  (3)  and  case  assumption. 

xi^2  (3.2) 

by  (3.1)  and  (4). 

Thus,  we  conclude. 

Case  (t: Function)  -  We  have: 

r  I  A^,  X  :  Aq  h  fLin(v:o  :  A2).s  :  A2  Ai  H  •  (1) 

v:  6  fv(fun(v:o  :  A2).e)  (2) 

by  hypothesis. 

x€-  (3) 

since  it  is  the  empty  environment. 

Thus,  we  conclude. 

Case  (t:Forall-Loc)  -  We  have: 


T  I  A,  A  :  Aq  I-  (t)  e  :  Vt.A  H  • 

X  e  fv((t)  e) 

X  i  • 

Thus,  we  conclude. 

Case  (t:Loc-App)  -  We  have: 

T  I  A,  A  :  Ao  I-  v{p]  :  A{plt}  H  Aj 
X  6  £v(v[p]) 

p  :  loc  6  T 

T  I  A,  A  :  Aq  I-  V  :  Vt.A  H  Ai 

A  6  £v(v) 
x€  Ai 

Thus,  we  conclude. 

Case  (t:Loc-Open)  -  We  have: 


(1) 

(2) 

by  hypothesis. 

(3) 

since  it  is  the  empty  environment. 


(1) 

(2) 

by  hypothesis. 

(3) 

(4) 

by  inversion  on  (t:Loc-App)  on  (1). 

[  £v(v[p])  =  £v(v)  ] 

(5) 

by  definition  of  £v  and  (2). 

(6) 

by  induction  hypothesis  on  (5)  and  (4). 
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r  I  Ao,  ;c :  A  h  open  (t,  xq)  =  vq  in  ei  end  :  Ai  h  A2  (1) 

^  6  fv(open  {t,  ;co)  =  vq  in  ei  end)  (2) 

[  fv(open  {t,xo)  =  vq  in  ei  end)  =  £v(vo)  U  £v(ei)  ] 

by  hypothesis. 

r  I  Aq,  X  a  \-  Vq  I  3t.Ao  H  Aj  (3) 

r,  t  ’  loc  I  Aj ,  .^0  •  Aq  ^  •  a j  h  A2  (4) 

by  inversion  on  (t:Loc-Open)  with  (1). 


Therefore,  we  have  the  following  possibilities: 

1.  V  6  £v(ei)  /\  X  i  £v(vo) 

(v:A)6Ai  (1.1) 

by  V  ^  £v(vo). 

xiA2  (1.2) 

by  induction  hypothesis  on  (4)  with  (1.1). 

Thus,  we  conclude. 

2.  V  6  £v(vo)  A  V  6  £v(ei) 

xiAi  (2.1) 

by  induction  hypothesis  on  (3)  and  case  assumption. 


We  reach  a  contradiction  since  vq  is  well-typed  by  (4)  but  x  6  £v(ei)  contradicts  (2.1). 
Thus,  such  case  is  impossible  to  occur  in  a  well-typed  expression. 

3.  .r  e  £v(vo)  /\  x  i  £v(ei) 

xiAi  (3.1) 

by  induction  hypothesis  on  (3)  and  case  assumption. 
xiA2  (3.2) 

by  (3.1)  and  (4). 

Thus,  we  conclude. 

Case  (t:Loc-Pack)  -  We  have: 


T  I  A,  V  :  Aq  I-  (p,  v)  :  3t.A  H  Ai 

V  6  £v((p,v)) 

T  I  A,  A  :  Ao  I-  V  :  A{plt]  H  Ai 

V  6  £v(v) 
x€  Ai 

Thus,  we  conclude. 


(1) 

(2) 

by  hypothesis. 

(3) 

by  inversion  on  (t:Loc-Pack)  on  (1). 

[  £v((p,  v))  =  £v(v)  ] 

(4) 

by  definition  of  £v  and  (2). 

(5) 

by  induction  hypothesis  on  (4)  and  (3). 
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Case  (t:Forall-Type)  -  We  have: 


r  I  A,  A  :  Ao  h  <X)  e  :  VXA  H  • 

X  e  fv((A')  e) 

X  i  • 

Thus,  we  conclude. 

Case  (t:Type-App)  -  We  have: 

r  I  A,a  :  Ao  h  v[Ai]  :  AzjAi/A}  H  Ai 
X  6  fv(v[Ai]) 

r  h  A]  type 

r  I  A,  A  :  Ao  h  V  :  VA.A2  h  Ai 

A  6  fv(v) 

A  ^  Ai 

Thus,  we  conclude. 

Case  (t:Type-Pack)  -  We  have: 

T  I  A,  A  :  Aq  y  (Aj ,  v)  :  3A.A2  h  Ai 
A  G  £v«Ai,v)) 

T  I  A,  A  :  Aq  y  V  :  A2{Ai/A}  H  Aj 

A  6  fv(v) 

A  ^  Ai 

Thus,  we  conclude. 

Case  (t:Type-Open)  -  Analogous  to  (t:Loc-Open). 
Case  (t:Cap-Elim)  -  We  have: 


(1) 

(2) 

by  hypothesis. 

(3) 

since  it  is  the  empty  environment. 


(1) 

(2) 

by  hypothesis. 

(3) 

(4) 

by  inversion  on  (t:Type-App)  on  (1). 

[  £v(v[Ai])  =  £v(v)  ] 

(5) 

by  definition  of  £v  and  (2). 

(6) 

by  induction  hypothesis  on  (5)  and  (4). 


(1) 

(2) 

by  hypothesis. 

(3) 

by  inversion  on  (t:Type-Pack)  on  (1). 

[  £v«Ai,v))  =  £v(v)  ] 

(4) 

by  definition  of  £v  and  (2). 

(5) 

by  induction  hypothesis  on  (4)  and  (3). 
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r  I  Aq,  ;c  :  Ai  ::  A2  I-  e  :  Aq  h  Ai 
^  6  fv(e) 

r  I  Ao,;c :  Ai,A2  I-  e  :  Aq  h  Ai 
^  ^  Ai 

Thus,  we  conclude. 

Case  (t: Cap- Stack)  -  We  have: 

r  I  Aq,  a  :  Aq  I-  e  :  Ai  ::  A2  h  Ai 
A  e  fv(e) 

r  I  Aq  I-  c  :  Aj  H  Ai,A2 
A  i  Ai,A2 

A  ^  Ai 

Thus,  we  conclude. 

Case  (t:Cap-Unstack)  -  We  have: 

T  I  Ao,a  :  Aq  I-  e  :  Ai  h  Ai,A2 
A  e  fv(e) 

T  I  Ao,  A  :  Aq  I-  c  :  Ai  ::  A2  H  Ai 
A  ^  A 

Thus,  we  conclude. 

Case  (t: Frame)  -  We  have: 


(1) 

(2) 

by  hypothesis. 

(3) 

by  inversion  on  (t:Cap-Elim)  on  (1). 

(4) 

by  induction  hypothesis  on  (2)  and  (3). 


(1) 

(2) 

by  hypothesis. 

(3) 

by  inversion  on  (t:Cap-Stack)  on  (1). 

(4) 

by  induction  hypothesis  on  (3)  and  (2). 

(5) 

by  (4). 


(1) 

(2) 

by  hypothesis. 

(3) 

by  inversion  on  (t:Cap-Unstack)  with  (1). 

(4) 

by  induction  hypothesis  with  (3)  and  (2). 


T  I  (Aq,  a  :  Aq)  ®—  A2  h  c  :  A  H  Aj  ®—  A2  (1) 

A  G  £v(e)  (2) 

by  hypothesis. 

T  I  Aq,  a  :  Aq  h  e  :  a  h  Ai  (3) 

by  inversion  on  (t:Frame)  with  (1),  note  by  (2)  a  must  be  in  environment. 
A  ^  Ai  (4) 

by  induction  hypothesis. 

A  ^  (Ai  ®—  A2)  (5) 

since  by  (1)  a  cannot  be  in  A2. 

Thus,  we  conclude. 
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Case  (t: Subsumption)  -  We  have: 


r  I  Ao,  X  :  A  \-  e  :  Ai  ls.1  (1) 

v:  e  fv(e)  (2) 

by  hypothesis. 

A(),  X  :  A  <:  A[j,  x  :  A'  (3) 

r  I  a;  h  e :  Ao  H  a;  (4) 

Ao  <:  Ai  (5) 

a;  <:  Ai  (6) 

by  inversion  on  (t:Subsumption)  with  (1). 

i  a;  (7) 

by  induction  hypothesis  on  (2)  and  (4). 

X  i  A\  (8) 


by  (6)  and  (7)  noting  the  members  of  Ai  and  A^  are  the  same. 

Thus,  we  conclude. 

Case  (t:Tag)  -  We  have: 


r  I  Ao,  X  :  Aq  h  1#v  :  Ai  H  Aj 

A  6  £v(l#v) 


r  I  Ao,  A  :  Ao  I-  V  :  Ai  H  Ai 


X  e  fv(e) 
x€  Ai 

Thus,  we  conclude. 


(1) 

(2) 

by  hypothesis. 

(3) 

by  inversion  on  (t:Tag)  with  (1). 

[  fv(l#v)  =  fv(v)  ] 

(4) 

by  definition  of  fv  and  (2). 

(5) 

by  induction  hypothesis  on  (3)  and  (4). 


Case  (t:Case)  -  We  have: 


T  I  Ao,  A  :  A'  h  case  v  of  lj#Xj  ej  end  :  A  h  Ai 
A  6  fv(case  V  of  lj#Xj  ej  end) 

[  £v(case  v  of  lj#Xj  ej 

T  I  Ao,  A  :  A'  h  V  :  2,-  h#Ai  H  A' 

T  I  A',  Xi  :  Ai  h  e,-  :  A  H  Ai 
i<j 


(1) 

_  (2) 

end)  =  £v(v)  U  £v(e,)  ],  for  some  i  <  j 

by  hypothesis. 

(3) 

(4) 

(5) 

by  inversion  on  (t:Case)  with  (1). 


Therefore,  we  have  the  following  possibilities: 
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1.  X  e  fv(v)  A  X  i  fv(ei) 

x^A'  (1.1) 

by  induction  hypothesis  on  (3)  and  case  assumption. 

X  i  Ai  (1.2) 

by  (1.1)  and  (4). 

Thus,  we  conclude. 

1.  xt  fv(v)  A  .JC  6  £v(e;) 

(;c:A')6A'  (2.1) 

by  jc  ^  £v(e). 

xtAx  (2.2) 

by  induction  hypothesis  on  (4)  and  (2.1). 

Thus,  we  conclude. 

3.  a:  6  £v(v)  A  a:  6  £v(e,) 

xiAx  (3.1) 


by  induction  hypothesis  on  (3)  and  sub-case  hypothesis. 


We  reach  a  contradiction  since  v  is  well-typed  by  (4)  but  x  e  £v(e,)  contradicts  (3.1). 
Thus,  such  case  is  impossible  to  occur  in  a  well-typed  expression. 

Case  (t:Alternative-Left)  -  We  have: 


T  I  Aq,  X  :  Aq,Ax  ©  A2  i-  £  :  A3  -1  Aj 
X  6  £v(e) 

T  I  Ao,  X  :  Aq,Ai  \-  e  \  A^  a  Ai 
T  I  Ao,v  :  Ao,A2  e  :  A^  a  Ai 


xi  Ax 

Thus,  we  conclude. 


(1) 

(2) 

by  hypothesis. 

(3) 

(4) 

by  inversion  on  (x: Alternative-Left)  with  (1). 

(5) 

by  induction  hypothesis  with  (2)  and  (3). 


Case  (t: Intersection-Right)  -  Analogous  to  previous  case  but  using  (t: Intersection-Right). 
Case  (t:Let)  -  We  have: 

T  I  Ao,  A  :  A  h  let  To  =  co  in  ex  end  :  Ai  h  A2  (1) 

A  6  £v(let  Ao  =  Co  in  ex  end)  (2) 

[  £v(let  Ao  =  Co  in  ex  end)  =  £v(co)  U  £v(ei)  ] 

by  hypothesis. 

T  I  Ao,  A  :  A  h  Co  :  Ao  -1  Aj  (3) 

T  I  Ai,  Ao  :  Ao  I-  Cl  :  Ai  H  A2  (4) 

by  inversion  on  (t:Let)  with  (1). 
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Therefore,  we  have  the  following  possibilities: 


X  &  fv(ei)  /\  X  i  fv(eo) 

(;c:A)6Ai  (1.1) 

by  .r  ^  fv(eo)- 

xi^2  (1.2) 

by  induction  hypothesis  on  (4)  with  (1.1). 

Thus,  we  conclude. 

2.  X  £  fv(eo)  /\  X  £  fv(ei) 

(2.1) 

by  induction  hypothesis  on  (3)  and  case  assumption. 

We  reach  a  contradiction  since  is  well-typed  by  (4)  but  .r  6  fv(ei)  contradicts  (2.1). 
Thus,  such  case  is  impossible  to  occur  in  a  well-typed  expression. 

3.  jc  6  fv(eo)  /\  X  i  fv(ei) 

xi^l  (3.1) 

by  induction  hypothesis  on  (3)  and  case  assumption. 

x^^2  (3.2) 

by  (3.1)  and  (4). 

Thus,  we  conclude. 

Case  (t:Share),  (t:Focus-Rely),  (t: Defocus- Guarantee)  -  Not  applicable  x  can  never  occur  free 
in  these  expressions. 

□ 
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B.8  Well-Form  Lemmas 

Lemma  8  (Well-Formed  Type  Substitution).  We  have: 

•  For  location  variables: 

1.  If 

F,  t :  loc  wf  p  :  loc  6  F 

then  F{p/t}  wf. 

2.  If 

F,  t :  loc  h  A  wf  p  :  loc  6  F 

then  F{p/t}  h  A{p/t}  wf. 

3.  If 

F,  t :  loc  h  A  type  p  :  loc  e  F 

then  F{p/t}  h  A{p/t}  type. 

•  For  type  variables: 

1.  If 

F,  X  type  wf  F  h  A  type 

thenFIA/A}  wf. 

2.  If 

F,  X  type  h  A  wf  F  h  A  type 
thenF{A/A}  h  A{A/A}  wf. 

3.  If 

F,  X  type  h  A  type  F  h  A'  type 
then  F{A7A}  h  A{A' /X)  type. 

Proof.  Straightforward  by  induction  on  the  structure  of  F,  A  and  types.  □ 

Lemma  9  (Well-Formed  Subtyping).  We  have  two  cases: 

1.  (Type)  If  F  h  A  type  and  A  <:  A'  then  F  h  A'  type. 

2.  (Delta)  If  F  h  A  wf  and  A  <:  A'  then  F  h  A'  wf. 

Proof.  Straightforward  by  induction  on  the  definition  of  <:  for  types  and  A,  respectively.  □ 
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B.9  Substitution  Lemma 


Lemma  10  (Substitution  Lemma).  We  have  the  following  substitution  properties  for  both  expres¬ 
sion  typing  and  type  formation: 

1 .  (Linear)  If 

r  I  A()  h  V  :  Aq  H  Ai  Y  \  lS.i,x  :  Aq\- e  :  Ai IS.2 

then 

r  I  Ao  I-  e{vlx]  :  Ai  H  A2 

2.  (Pure)  If 

F  I  •  h  V  ;  !Ao  H  •  r,  ;  Aq  \  Aq  h  e  ;  Ai  H  Aj 

then 

r  I  Aq  I-  e{vlx]  :  Ai  H  Ai 

(note  that  due  to  the  required  pure  types,  the  A  environments  to  check  v  must  be  empty) 

3.  (Location  Variable)  If 

r,  t :  loc  I  A()  h  e  :  A  H  Ai  p  :  loc  6  L 

then 

Y{plt}  I  Ao{p/t}  I-  e{plt]  :  A{p/t}  H  Ai{p/t} 

Note  that,  since  t  may  appear  free  in  all  typing  environments,  the  expression  and  in  its  type, 
we  must  substitute  into  all  those  elements. 

4.  (Type  Variable)  If 

r,  X  type  I  Ao  I-  e  :  Ao  H  Ai  F  h  Ai  type 

then 

Y{AdX]  I  Ao{Ai/A}  h  e{A,IX]  :  Ao{Ai/A}  H  Ai{Ai/A} 

(replaces  X  in  all  places  it  may  occur  free) 

Proof.  We  split  the  proof  on  each  of  the  lemma’s  sub-parts: 

1.  (Linear) 

Proof  We  proceed  by  induction  on  the  typing  derivation  of 
F  I  Ai,  v: :  Ao  I-  e  :  Ai  H  A2. 

Case  (t:Ref),  (t:Pure),  (t:Unit),  (t:Pure-Read)  -  Not  applicable  since  these  rules  require 
an  empty  A  environment. 

Case  (t:Linear-Read)  -  We  have: 
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r|Ahv:AH-  (1) 

r  U  :  A  h  ^  :  A  H  •  (2) 

by  hypothesis. 

(note  v’s  ending  environment  must  be  •  to  apply  (t:Linear-Read)). 
r  I  A  h  x{vlx]  :  A  H  •  (3) 

by  (vs:2)  with  (1)  and  x. 

Thus,  we  conclude. 

Case  (t:Pure-Elim)  -  We  have: 

r  I  Aq  I-  V  :  Aq  H  Ai  (1) 

r  I  Ai,  jci  :  IA2,  xq  :  Aq  \-  e  :  A\  -\  A2  (2) 

by  hypothesis. 

r,  Xi  :  A2 1  Ai,  xq  :  Ag  h  £  :  Aj  H  A2  (3) 

by  inversion  on  (t:Pure-Elim)  with  (2). 

r,  vi  :  A2  I  Ai  h  e{v/vo}  :  Ai  H  A2  (4) 

by  induction  hypothesis  on  (3)  with  (1). 
r  I  Ai,  jci  :  !A2  I-  e{vlxo}  :  Ai  H  A2  (5) 

by  (t:Pure-Elim)  with  (4). 

Thus,  we  conclude. 

Case  (t:New)  -  We  have: 

E  I  Aq  I-  V  :  Aq  H  Ai  (1) 

E  I  Ai,  V  :  Aq  I-  new  vq  :  3t.(ref  t ::  rw  t  Ai)  H  A2  (2) 

by  hypothesis. 

E  I  Ai,  V  :  Aq  I-  Vo  :  Ai  H  A2  (3) 

by  inversion  on  (t:New)  with  (2). 
E  I  Ao  I-  Vq{vI x]  :  Ai  H  A2  (4) 

by  induction  hypothesis  with  (1)  and  (3). 
E  I  Ao  I-  new  vo{v/v}  :  3t.(ref  t ::  rw  t  Ai)  H  A2  (5) 

by  (t:New)  with  (4). 

E  I  Ao  I-  (new  vo){v/v}  :  3t.(ref  t ::  rw  t  Ai)  H  A2  (6) 

by  (vs:8)  with  (5). 

Thus,  we  conclude. 

Case  (t: Delete)  -  We  have: 

E  I  Ao  I-  V  :  Ao  H  Ai  (1) 

E  I  Aj,  X  :  Aq  v  delete  vg :  3t.Ai  h  A2  (2) 

by  hypothesis. 

E  I  Ai,  jc :  Ao  I-  Vo  :  3t.(ref  t ::  rw  t  Ai)  H  A2  (3) 

by  inversion  on  (t:Delete)  with  (2). 
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r  I  Ao  I-  vq{vIx]  :  3?.(ref  t ::  rw  t  A^)  H  A2 
r  I  Aq  h  cIgIgIg  vq{v ! x\  ;  3?.Ai  H  A2 
r  I  Aq  h  (cIgIgIg  VQ)\yl x\  ’  3?.Aj  H  A2 
Thus,  we  conclude. 


(4) 

by  induction  hypothesis  with  (1)  and  (3). 

(5) 

by  (t:  Delete)  with  (4). 

(6) 

by  (vs:9)  with  (5). 


Case  (t:Assign)  -  We  have: 


r  I  Ao  I-  V  :  Aq  H  Ai  (1) 

r  I  Ai,a: :  Ao  I- Vo  :=  vi  :  Ai  H  A2,rwpA2  (2) 

by  hypothesis. 

r  I  Aj,  X  Ao  I"  Vi  :  A2  H  A!  (3) 

r  I  A'  h  Vo  :  ref  p  H  A2,  rw  p  Ai  (4) 


by  inversion  on  (t:Assign)  with  (2). 


We  have  that  either: 

(a)  a:  6  fv(vi) 

xiA!  (1.1) 

by  (Free  Variables  Lemma)  on  (3). 
r  I  A'  h  voIv/t}  :  ref  p  H  A2,rw  p  (1.2) 

since  t  cannot  occur  in  co  by  (1.1). 
r|Ai  hvi{v/4:A2HA'  (1.3) 

by  induction  hypothesis  on  (1)  and  (3). 
r  I  Ai  h  Vo{v/4  :=  vi{v/a:}  :  Aj  H  A2,  rw  p  A2  (1.4) 

by  (t:Assign)  on  (1.2)  and  (1.3). 
r  I  Ai  h  (vo  :=  vi){v/4  :  Ai  H  A2,rwp  A2  (1.5) 

by  (vs:ll)  on  (1.4). 

Thus,  we  conclude. 


(b)  V  i  £v(vi) 

(T:Ao)eA'  (2.1) 

by  (9)  and  a:  i  fv(vi). 

T  I  A"  h  vq{vIx]  :  ref  p  H  A2,  rw  p  Ai  (2.2) 

by  induction  hypothesis  (since  it  is  applied  to  x  wherever  is  in  the 
environment)  and  where  A"  is  the  same  as  A'  without  x. 
r|  Ai  hvi{v/4  :A2H  A"  (2.3) 

since  a:  cannot  occur  in  eihy  x  i  fv(ei). 
T  I  Ai  h  vo{v/4  :=  vi{v/a:}  :  Ai  H  A2,  rw  p  A2  (2.4) 

by  (t:Assign)  using  (2.4)  and  (2.5). 
T  I  Ai  h  (vo  :=  vi){v/4  :  Ai  H  A2,  rw  p  A2  (2.5) 
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Thus,  we  conclude. 


by  (vs:ll)  on  (2.6). 


Case  (t: Dereference-Linear)  -  We  have: 

r  Ao  1-  V  :  Aq  H  Ai 

(1) 

r  1  Ai,a:  :  Ao  1-  !vo  :  Aj  H  A2,rw  p  [] 

(2) 

by  hypothesis. 

r  1  Ai,  A  :  Ao  1-  Vo  :  ref  p  H  A2,  rw  p  Ai 

(3) 

by  inversion  on  (t:Dereference-Linear)  on  (2). 

r  Ai  h  vo{v/a}  :  ref  p  H  A2,  rw  p  Ai 

(4) 

by  induction  hypothesis  with  (1)  and  (3). 

r  1  Ai  h  !vo{v/a}  :  Ai  H  A2,  rw  p  [] 

(5) 

by  (t:Dereference-Linear)  on  (4). 

r  1  Ai  h  (!vo){v/a}  :  Ai  H  A2,rw  p  [] 

(6) 

by  (vs:  10)  on  (5). 

Thus,  we  conclude. 

Case  (t: Dereference-Pure)  -  Analogous  to  (t:Dereference-Linear). 

Case  (t: Record)  -  We  have: 

T  Aq  1-  V  :  Aq  H  Ai 

(1) 

r|Ai,A:Aoh{f  =  v'}:[£:A]H- 

(2) 

by  hypothesis. 

T  1  Ai,a  :  Ao  1-  V;  :  Ah  • 

(3) 

by  inversion  with  (t:Record)  on  (2). 

T  1  Ai  h  v'{v/a}  :  Ah  • 

(4) 

by  induction  hypothesis  with  (1)  and  (3). 

r|Aih{f  =  v'{v/A}}:[£:A]H- 

(5) 

by  (t:  Record)  on  (4). 

r|Aih({£  =  v'}){v/A}:[£:A]H- 

(6) 

by  (vs:5)  on  (5). 

Thus,  we  conclude. 

Case  (t: Selection)  -  We  have: 

r  Aq  1-  V  :  Aq  H  Ai 

(1) 

r  1  Ai,  X  :  Aq  h  vo.£  :  Aj  H  A2 

(2) 

by  hypothesis. 

T  Ai,  A  :  Aq  1-  Vo  :  [£  :  AJ  H  A2 

(3) 

by  inversion  on  (t:Selection)  with  (2). 


91 


r  I  Ai  h  vo{v/4  :  [£  :  AJ  H  A2 


r  I  Ai  h  vo{v/4.f  :  [f  :  AJ  H  A2 
r  I  Ai  h  (vo.£){v/;c}  :  [£  :  AJ  H  A2 
Thus,  we  conclude. 


(4) 

by  induction  hypothesis  on  (3)  with  (1). 

(5) 

by  (t: Selection)  on  (4). 

(6) 

by  (vs:6)  on  (5). 


Case  (t: Application)  -  We  have: 

r  I  Ao  I-  V  :  Aq  H  Ai 
r  I  Ai,  A  :  Aq  I-  Vo  Vi  :  Ai  H  A2 

r  I  Aj,  X  :  Aq  v  Vo  :  A2  Aj  H  A' 
r  I  A^  h  Vi  :  A2  H  A2 

We  have  that  either: 

(a)  A  6  £v(vo) 
xi  A' 

r  I  A'  h  Vi{v/a}  :  A2  h  A2 
r  I  Ao  h  vo{v/a}  :  A2  Aj  H  A' 
r  I  Ao  h  Vo{v/a}  Vi{v/a}  :  Ai  h  A2 
r  I  Ao  h  (vo  vi){v/a}  :  Ai  h  A2 
Thus,  we  conclude. 


(1) 

(2) 

by  hypothesis. 

(3) 

(4) 

by  inversion  on  (t:  Application)  with  (2). 


(1.1) 

by  (Free  Variables  Lemma)  on  (3). 

(1.2) 

since  a  cannot  occur  in  vi  by  (1.1). 

(1.3) 

by  induction  hypothesis  with  (1)  and  (3). 

(1.4) 

by  (t: Application)  with  (1.2)  and  (1.3). 

(1.5) 

by  (vs:7)  on  (1.4). 


(b)  A  i  £v(vo) 

(a:Ao)6A'  (2.1) 

by  A  ^  £v(vi). 

T  I  A"  h  vi{v/a}  :  A2  h  A2  (2.2) 

by  induction  hypothesis  where  A"  is  A'  without  a. 
T  I  Ao  h  Vo{v/a}  :  A2  ^  Ai  h  A"  (2.3) 

since  a  cannot  occur  in  vo  by  a  ^  £v(vo)  and  (2.1). 
T  I  Ao  h  vo{v/a}  Vi{v/a}  :  Ai  H  A2  (2.4) 

by  (t: Application)  on  (2.2)  and  (2.3). 
T  I  Ao  h  (vo  vi){v/a}  :  Ai  h  A2  (2.5) 

by  (vs:7)  on  (2.4). 
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Thus,  we  conclude. 


Case  (t: Function)  -  We  have: 


r| 

r| 

r| 

Xi 

r| 

r| 

r| 


Aq  h  V  *  Aq  H  Ai 

(1) 

A^,  xq  *  Aq  h  fun(xi  *  Aj).^  ;  Aj  — o  A2  H  * 

(2) 

by  hypothesis. 

A^,  X\  I  A^,  Xq  I  Aq  h  C  *  A2  H  * 

(3) 

^  ^0 

(4) 

by  def.  of  substitution  up  to  rename  of  bounded  variables. 

A^,  Ai  :  Ai  h  e{v/A}  :  A2  H  • 

(5) 

by  induction  hypothesis  with  (1)  and  (3). 

A^  h  fLin(Ai  :  Aj).c{v/a}  :  Aj  — 0  A2  h  ■ 

(6) 

by  (t:Function)  with  (5). 

Af  h  (fun(Ai  :  Ai).c){v/a}  :  Ai  ^  A2  h  • 

(7) 

by  (vs:4)  on  (6)  and  (4). 

Thus,  we  conclude. 


Case  (t:Forall-Loc)  -  We  have: 

r  I  Ao  I-  V  :  Aq  H  Ai 
T  I  Aj,  X  :  Aq  h  (?)  €  :  H  • 

T,? :  loc  I  Ai,jc :  Ao  I-  e  :  Ai  H 

T,  t :  loc  I  Ai  h  e{vlx]  :  Ai  H  • 

T  I  Ai  h  {t)e{vlx}  :  V?.Ai  H  • 

T  I  Ai  h  ((?)  e){vlx]  :  V?.Ai  H  • 

Thus,  we  conclude. 


(1) 

(2) 

by  hypothesis. 

(3) 

by  inversion  on  (t:Forall-Loc)  with  (2). 

(4) 

by  induction  hypothesis  with  (1)  and  (3). 

(5) 

by  (t:Forall-Loc)  on  (4). 

(6) 

by  (vs:  14)  on  (5). 


Case  (t:Loc-App)  -  We  have: 

F  I  Ao  I-  V  :  Aq  H  Ai 
F  I  Ai,a:  :  Ao  I-  vo[p]  :  Ajlp/?}  H  A2 

p  :  loc  6  F 

F  I  Aj,  A  :  Ao  h  vq  :  V?.Ai  H  A2 
F  I  Ai  h  vo{v/a}  :  V?.Ai  H  A2 


(1) 

(2) 

by  hypothesis. 

(3) 

(4) 

by  inversion  on  (t:Loc-App)  with  (2). 

(5) 

by  induction  hypothesis  on  (4)  and  (1). 
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r  I  Ai  h  Vo{vlx]{p]  :  Ai{plt]  H  A2 


r  I  Ai  h  {vq{p]){vIx]  :  Aiipjt)  H  A2 
Thus,  we  conclude. 


(6) 

by  (t:Loc-App)  on  (5)  and  (3). 

(7) 

by  (vs:  13)  on  (6). 


Case  (t:Loc-Pack)  -  We  have: 

r  I  Aq  I-  V  :  Aq  H  Ai 
r  I  Ai,  A  :  Aq  I-  {p,  Vo)  :  3t.A\  H  A2 

r  I  Ai,  jc :  Ao  I-  Vo  :  Ai{plt}  H  A2 

r  I  Ai  h  vo{v/4  :  Ai{plt]  H  A2 

r  I  Ai  h  {p,vq{vIx])  :  3t.Ai  H  A2 

r  I  Ai  h  {{p,vo)){vlx]  :  3tAi  H  A2 

Thus,  we  conclude. 


(1) 

(2) 

by  hypothesis. 

(3) 

by  inversion  on  (t:Loc-Pack)  with  (2). 

(4) 

by  induction  hypothesis  on  (1)  and  (3). 

(5) 

by  (t:Loc-Pack)  on  (4). 

(6) 

by  (vs:  12)  on  (5). 


Case  (t:Loc-Open)  -  We  have: 

r  I  Ao  I-  V  :  Aq  H  Ai  (1) 

T  I  Ai,  Ao  :  Ao  I-  open  (t,  xi)  =  vq  in  e\  end  :  Ai  h  A2  (2) 

by  hypothesis. 

r  I  Ai,  Ao  :  Ao  I-  Vo  :  3t.A2  h  A'  (3) 

T,  t :  loc  I  A! ,  Xi  :  A2  ^  '■  A [  H  A2  (4) 

by  inversion  on  (t:Loc-Open)  with  (2). 

We  have  that  either: 

(a)  Ao  6  fv(vo) 

xo^A'  (1.1) 

by  (Free  Variables  Lemma)  on  (3). 
Ao  Ai  (1.2) 

by  def.  of  substitution  up  to  rename  of  bounded  variables. 
T,  t :  loc  I  A',  Ai  :  A2  I-  eiivjxQ}  :  Ai  H  A2  (1.3) 

since  ao  cannot  occur  in  e\  and  by  (1.1)  nor  in  T  by  (3). 
T  I  Ai  h  voIv/ao)  :  3t.A2  H  A'  (1.4) 

by  induction  hypothesis  on  (1)  and  (3). 
T  I  Ai  h  open  {t,xi)  =  vo{v/ao}  in  ci{v/ao}  end  :  Ai  h  A2  (1.5) 

by  (t:Loc-Open)  on  (1.3)  and  (1.4). 
T  I  Ai  h  (open  {t,  xi)  =  vo  in  e\  end){v/Ao}  :  Ai  h  A2  (1.6) 
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Thus,  we  conclude. 


by  (vs:15)  on  (1.6)  and  (1.2). 


(b)  xo  i  fv(vo) 

(^o:Ao)6A'  (2.1) 

by  Xo  t  fv(vo). 

Xo  4^  xx  (2.2) 

by  def.  of  substitution  up  to  rename  of  bounded  variables, 
r,  t :  loc  I  Is!' ,x\  :  h  ei{vlxo}  :  Ai  H  A2  (2.3) 

by  induction  hypothesis  with  A"  equal  to  A'  without  xo- 
r  I  Ai  h  vo{v/;co}  :  3t.A2  H  A"  (2.4) 

since  xo  cannot  occur  in  vq  by  xo  i  fv(vo). 
r  I  Ai  h  open  {t,xx)  -  vo{v/.ro}  in  ex{vjxo]  end  :  Ai  h  A2  (2.5) 

by  (t: Loc- Open)  on  (2.3)  and  (2.4). 
r  I  Ai  h  (open  (t,  Xx)  =  vq  in  ex  end){v/.ro}  :  Ai  h  A2  (2.6) 

by  (vs:  15)  on  (2.2)  and  (2.5). 

Thus,  we  conclude. 


Case  (t:Forall-Type)  -  Analogous  to  (t:Forall-Loc)  with  (vs:  18). 
Case  (t:Type-App)  -  Analogous  to  (t:Loc-App)  with  (vs:  17). 

Case  (t:Type-Pack)  -  Analogous  to  (t:Loc-Pack)  with  (vs:  16). 
Case  (t:Type-Open)  -  Analogous  to  (t:Loc-Open)  with  (vs:  19). 
Case  (t:Cap-Elim)  -  We  have: 


r  Aq  1-  V  :  Aq  -1  Ai,  Ai  :  A2  ::  A3 

(1) 

T  Ai,  Ai  :  A2  ::  A3,  aq  :  Aq  1-  e  :  Ai  -1  A2 

(2) 

T  Ai,  Ai  :  A2,  A3,  Ao  :  Ao  1-  e  :  Ai  H  A2 

by  hypothesis. 

(3) 

T  Ai,ai  :  A2,A3  h  e{vlxo]  :  Ai  H  A2 

by  inversion  on  (t:Cap-Elim)  with  (2). 

(4) 

T  1  Ai,  Ai  :  A2  ::  A3  h  e{vl aq}  :  Ai  h  A2 

by  induction  hypothesis  with  (1)  and  (3). 

(5) 

Thus,  we  conclude. 

by  (t:Cap-Elim)  with  (4). 

:  (t:Cap-Stack)  -  We  have: 

T  Ao  1-  V  :  Aq  -1  Ai 

(1) 

T  Ai,  A  :  Ao  e  :  Ax  ::  A2  -i  A2 

(2) 

T  1  Ai,  A  :  Aq  1-  e  :  Ai  H  A2,  A2 

by  hypothesis. 

(3) 
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r  I  Ai  h  e{vlx}  :  Ai  H  A2,A2 


r  I  Ai  h  e{vlx}  :  Ai  ::  A2  h  A2 
Thus,  we  conclude. 

Case  (t: Cap-Unstack)  -  We  have: 

r  I  Ao  I-  V  :  Aq  H  Ai 
r  I  Ai,  A  :  Aq  \-  e  :  Ai  -\  A2,  A2 

r  I  Ai,  A  :  Aq  \-  e  \  Ai  ::  A2  H  A2 

r  I  Aj  h  c{v/a}  :  A\  A2  H  A2 

r  I  Ai  h  e{vlx]  :  Ai  H  A2,A2 

Thus,  we  conclude. 


by  inversion  on  (t:Cap-Stack)  with  (2). 

(4) 

by  induction  hypothesis  with  (1)  and  (3). 

(5) 

by  (t:  Cap- Stack)  on  (4). 


(1) 

(2) 

by  hypothesis. 

(3) 

by  inversion  (t:Cap-Unstack)  with  (2). 

(4) 

by  induction  hypothesis  with  (1)  and  (3). 

(5) 

by  (t:Cap-Unstack)  with  (4). 


Case  (t: Subsumption)  -  We  have: 


T  Ao  1-  V  :  Ao  -1  Ai 

(1) 

T  Ai,  A  :  Aq  1-  c  :  Ai  H  A2 

(2) 

Ai,a:Ao  <:  A;,a:A; 

by  hypothesis. 

(3) 

T  1  A  j ,  A  :  Aq  h  c  :  A2  H  A2 

(4) 

A2  c  Aj 

(5) 

A^  <:  A2 

(6) 

Ao  <:  a;, 

by  inversion  on  (t:  Sub  sumption)  on  (2). 

(7) 

T  1  Ao  h  V  :  a;  H  a; 

by  (Subtyping  Inversion  Lemma)  on  (3)  on  a. 

(8) 

T  Aj  h  e{vlx}  :  A2  -1  A2 

by  (t: Subsumption)  on  (1)  with  (7). 

(9) 

Ai  <:  a; 

by  induction  hypothesis  on  (4)  and  (8). 

(10) 

T  Ai  h  e{vlx}  :  Ai  H  A2 

by  (Subtyping  Inversion  Lemma)  on  (3). 

(11) 

Thus,  we  conclude. 

by  (t: Subsumption)  on  (9)  with  (10),  (5)  and  (6). 
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Case  (t: Frame)  -  We  have: 
r  I  Aq  I-  V  :  Aq  H  Ai 

r  I  (Aj,  X  :  Aq)  ®—  A3  h  6  :  Aj  H  A2  A3 
r  I  Ai,  A  :  Aq  \-  e  :  Ai  H  A2 
r  I  Ai  h  e{vlx]  :  Ai  H  A2 
r  I  Ai  ®-  A3  h  e{vlx]  :  Ai  H  A2  ®-  A3 
Thus,  we  conclude. 


(1) 

(2) 


by  hypothesis. 

(3) 

by  inversion  on  (t:Frame)  with  (2). 

(4) 

by  induction  hypothesis  with  (1)  and  (3). 

(5) 

by  (t:Frame)  on  (4)  with  A3. 


Case  (t:Tag)  -  We  have: 

F  I  Ao  I-  V  :  Aq  H  Ai 
F  I  Aj,  A  :  Aq  h  Ittvo  :  IttAj  H  A2 

F  I  Ai,  A  :  Aq  I-  Vo  :  Ai  H  A2 

F  I  Ai  h  vo{v/a}  :  Ai  h  A2 

F  I  Ai  h  1#Vo{v/a}  :  l#Ai  H  A2 

F  I  Ai  h  (1#vo){v/a}  :  l#Ai  H  A2 

Thus,  we  conclude. 


(1) 

(2) 

by  hypothesis. 

(3) 


by  inversion  (t:Tag)  with  (2). 

(4) 

by  induction  hypothesis  with  (1)  and  (3). 

(5) 

by  (t:Tag)  with  (4). 

(6) 

by  (vs:20)  on  (5). 


Case  (t:Case)  -  We  have: 

F  I  Ao  I-  V  :  Aq  H  Ai  (1) 

F  I  Ai,  A  :  Ao  I-  case  vo  of  ly#A^-  ^  ej  end  :  A  h  A2  (2) 

by  hypothesis. 

F|Ai,A:Aohvo:  Z,  W:h  A'  (3) 

F|A',A,-:A;he;:AHA2  (4) 

i  <  j  (5) 


by  inversion  (t:Case)  with  (2). 

We  have  that  either: 


(a)  A  6  £v(vo) 

a^A'  (1.1) 

by  (Free  Variables  Lemma)  on  (3). 
A  Xj  (1.2) 

by  def.  of  substitution  up  to  rename  of  bounded  variables. 
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T  \  A'.\- ei{vlx]  :  A ^2  (1-3) 

since  x  cannot  occur  in  e,  and  by  (1. 1)  nor  in  Y  by  (3). 
r  I  Ai,^  :  Ao  h  vo{v/4  :  Z,-  IM-  H  A'  (1.4) 

by  induction  hypothesis  on  (1)  and  (3). 
r  I  Ai  h  case  vo{v/x}  of  l/#.ry  ^  ejivjx}  end  :  A  h  A2  (1.5) 

by  (t:Case)  on  (5),  (1.3)  and  (1.4). 
r  I  Ai  h  (case  vo  of  lj#Xj  e,  end){v/A:}  :  A  h  A2  (1.6) 

by  (vs:21)  on  (1.6)  and  (1.2). 

Thus,  we  conclude. 

(b)  A  i  fv(vo) 

(a:Ao)6A'  (2.1) 

by  jc  ^  fv(e). 

X  Xj  (2.2) 

by  def.  of  substitution  up  to  rename  of  bounded  variables. 

r|  A",a,-  :  a;  h  ei{v/x}:A-\  A2  (2.3) 

by  induction  hypothesis  where  A"  is  same  as  A'  without  x. 
r|Aihvo{v/4:Z,l,#A:HA"  (2.4) 

since  jc  cannot  occur  mehy  x  i  £v(e). 

r  I  Ai  h  case  vqIv/a}  of  lj#Xj  ejivjx}  end  :  A  h  A2  (2.5) 

by  (t:Case)  on  (5),  (2.3)  and  (2.4). 
r  I  Ai  h  (case  vq  of  l,#A:y  ^  ey  end){v/A:}  :  A  h  A2  (2.6) 

by  (vs:21)  on  (2.1)  and  (2.5). 

Thus,  we  conclude. 

Case  (t:Alternative-Left),  (t:Intersection-Right)  -  Immediate  by  applying  the  induction 
hypothesis  on  the  inversion  and  then  re-applying  the  rule. 

Case  (t:Let)  -  Analogous  to  previous  cases. 

Case  (t:Share),  (t:Focus-Rely),  (t:Deeocus- Guarantee)  -  Immediate  since  these  expressions 
do  not  have  free  variables  to  substitute. 


□ 


2.  (Pure) 

Proof.  We  proceed  by  induction  on  the  typing  derivation  of 
r,  A  :  Aq  I  Aq  I-  e  :  Ai  H  Ai. 

Case  (t:Ref)  -  We  have: 
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r,p  :  loc  •  h  vq  :  !Ao  h  • 

(1) 

r,p  :  loc,  x:  Aq\-  \-  p  :  ref  p  H  • 

(2) 

r,p  :  loc  •  h  p  :  ref  p  H  • 

by  hypothesis. 

(3) 

r,p  :  loc  •  h  pIv/a}  :  ref  p  H  • 

by  A  ^  £v(p)  on  (2). 

(4) 

Thus,  we  conclude. 

by  (vs:l)  on  (3)  using  a  and  v. 

Case  (t:Pure)  -  We  have: 

T  1  •  h  Vo  :  !Ao  h  • 

(1) 

T,  Ao  :  Ao  •  ^1  •  !Ai  H  • 

(2) 

r,  Ao  :  Ao  •  ^1  •  Ai  H  • 

by  hypothesis. 

(3) 

r  1  Ao  :  !Ao  1-  vi  :  Ai  H  • 

by  inversion  on  (t:Pure)  with  (2). 

(4) 

T  •  h  vi{vo/ao}  :  Ai  h  • 

by  (t:Pure-Elim)  on  (3)  with  aq. 

(5) 

T  •  h  Vi{vo/ao}  :  !Ai  H  • 

by  (Substitution  Lemma  -  Linear)  with  (1)  and  (4). 

(6) 

Thus,  we  conclude. 

by  (t:Pure)  on  (5). 

Case  (t:Unit)  -  We  have: 


r  I  •  h  Vo  :  !Ao  H  • 
r,  v: :  Aq  I  •  I-  Vi  :  []  H 


(1) 
(2) 

by  hypothesis. 

r|-hvi{vo/4:[]H-  (3) 

substitution  on  x  cannot  change  the  type  since  []  is  always  valid  by  (t:Unit). 

(and  substitution  cannot  change  a  value  to  become  an  expression). 

Thus,  we  conclude. 


Case  (t:Pure-Read)  -  We  have: 

r  I  •  h  V  :  !Ao  H  •  (1) 

r,  Ao  :  Ao  I  •  I-  Ai  :  !Ai  H  •  (2) 

by  hypothesis  (matching  environments  and  type  with  (t:Pure-Read)). 
We  have  that  either: 


(a)  xo  =  xi 

r  I  •  h  V  :  !A  H  • 


(1.1) 


99 


r,  ;c :  A  I  •  h  ;c :  !A  H  • 

r  I  •  h  x{vlx]  :  !A  H  • 

Thus,  we  conclude. 

(b)  xo  4^  xi 

r  I  •  h  ;  !Aj  H  • 

r  I  •  h  xiivlxo)  :  !Ai  H  • 

Thus,  we  conclude. 

Case  (t:Linear-Read)  -  We  have: 

T  I  •  h  V  :  !Ao  H  • 

T,  Ao  :  Ao  I  Ai  :  Ai  h  Ai  :  Ai  H  • 

A()  4  Ai 

T  I  Ai  :  Ai  h  ai{v/ao}  :  Ai  h  • 

Thus,  we  conclude. 

Case  (t:Pure-Elim)  -  We  have: 

T  I  •  h  V  :  !Ao  H  ■ 

T,  Ao  :  Aq  I  Ao,  Ai  :  !A2  i-  e  :  Ai  H  Ai 
T,  Aq  :  Aq,  aj  :  A2 1  Aq  h  6  :  Aj  H  Aj 
r,Ai  :  A2  I  Ao  I-  e{v/Ao}  :  Ai  H  Ai 
T  I  Aq,  Ai  :  !A2  I-  e{v/Ao}  :  Aj  H  Ai 
Thus,  we  conclude. 


(1.2) 

by  restated  hypothesis  with  a  =  aq  =  ai. 

and  with  A  =  Aq  =  Ai. 

(1.3) 

by  (vs:2)  on  (1.1)  using  a  and  v. 


(2.1) 

by  Ao  i  £v(ai)  on  (2). 

(2.2) 

by  (vs:3)  on  (2.1)  using  ao  and  v. 


(1) 

(2) 

by  hypothesis. 

(3) 

since  T  and  A  identifiers  cannot  collide. 

(4) 

by  (vs:3)  on  (2)  using  ao  and  v. 


(1) 

(2) 

by  hypothesis. 

(3) 

by  inversion  on  (t:Pure-Elim)  with  (2) 

(4) 

by  induction  hypothesis  on  (1)  with  (3). 

(5) 

by  (t:Pure-Elim)  on  (4). 


Case  (t:New)  -  We  have: 

E  I  •  h  V  :  !Ao  H  • 

E,  A  :  Ao  I  Ao  h  new  vo  :  3t.(ref  t ::  rw  t  Ai)  H  Ai 
E,  A  :  Ao  I  Ao  I-  Vo  :  Ai  H  Ai 


(1) 

(2) 


by  hypothesis. 

(3) 

by  inversion  on  (t:New)  with  (2). 
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r  I  Aq  I-  Vq{vI x]  :  Ai  H  Aj 


(4) 

by  induction  hypothesis  with  (3)  and  (1). 
r  I  Ao  I-  new  vq{vIx]  :  3t.(ref  t ::  rw  t  Ai)  H  Ai  (5) 

by  (t:New)  with  (4). 

r  I  Ao  I-  (new  vq){vIx]  :  3t.(ref  t ::  rw  t  Ai)  -\  Ai  (6) 

by  (vs:8)  on  (5). 


Thus,  we  conclude. 


Case  (t: Delete)  -  We  have: 


r  I  •  h  V  :  IAq  h  ■ 

r,  X  :  Aq  I  Aq  h  delete  vq  :  3t.Ai  h  Aj 
r,  V  :  Ao  I  Ao  h  Vo  :  3t.(ref  t ::  rw  t  Ai)  H  Ai 
r  I  Ao  I-  vo{v/v}  :  3t.(ref  t ::  rw  t  Ai)  H  Ai 
r  I  Ao  I-  delete  vo{v/4  :  3t.Ai  h  Ai 
r  I  Ao  I-  (delete  vo){v/v}  :  3t.Ai  h  Ai 
Thus,  we  conclude. 


(1) 

(2) 

by  hypothesis. 

(3) 

by  inversion  on  (t:Delete)  with  (2). 

(4) 

by  induction  hypothesis  with  (3)  and  (1). 

(5) 

by  (t:  Delete)  with  (4). 

(6) 

by  (vs:9)  on  (5). 


Case  (t:Assign)  -  We  have: 


T  I  •  h  V  :  !Ao  H  ■ 

T,  .r  :  Ao  I  Ao  h  Vo  :=  vi  :  Aj  H  A2,  rw  p  A2 

T,  X  :  Ao  I  Ao  h  vi  :  A2  H  Aj 

T,  .r  :  Ao  I  Ai  h  Vo  :  ref  p  H  A2,  rw  p  Ai 

T  I  Ao  I-  Vi{v/jc}  :  A2  H  Ai 

T  I  Ai  h  vo{v/jc}  :  ref  p  H  A2,  rw  p  Ai 

T  I  Ao  I-  vo{v/4  :=  vi{v/4  :  Ai  H  A2,  rw  p  A2 

T  I  Ao  I-  (vo  :=  vi){v/4  :  Ai  H  A2,  rw  p  A2 

Thus,  we  conclude. 


(1) 

(2) 

by  hypothesis. 

(3) 

(4) 

by  inversion  on  (t:Assign)  with  (2). 

(5) 

by  induction  hypothesis  on  (3)  with  (1). 

(6) 

by  induction  hypothesis  on  (4)  with  (1). 

(7) 

by  (t:Assign)  with  (5)  and  (6). 

(8) 

by  (vs:  11)  on  (7). 


Case  (t:Dereeerence-Linear)  -  We  have: 
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r  I  •  h  V  :  !Ao  H  •  (1) 

r,;c :  Ao  I  Ao  h  !vo  :  Ai  H  Ai,rw  jo  []  (2) 

by  hypothesis. 

r,  :  Ao  I  Ao  h  Vo  :  ref  p  H  Ai,  rw  p  Ai  (3) 

by  inversion  on  (t:Dereference-Linear)  with  (2). 
r  I  Ao  I-  vo{v/4  :  ref  p  H  Ai,rw  p  Aj  (4) 

by  induction  hypothesis  on  (3)  with  (1). 
r  I  Ao  I-  !vo{v/4  :  Ai  H  Ai,  rw  p  []  (5) 

by  (t:Dereference-Linear)  with  (4). 
r  I  Ao  h  (!vo){v/a}  :  Ai  H  Ai,rwp  []  (6) 

by  (vs:  10)  on  (5). 


Thus,  we  conclude. 


Case  (t: Dereference-Pure)  -  Analogous  to  (t:Dereference-Linear). 

Case  (t: Record)  -  We  have: 

r  I  •  h  V  :  !A'  H  •  (1) 

r,  A  :  A'  I  A  h  {f  =  V'}  :  [fTA]  H  •  (2) 

by  hypothesis. 

r,A:A'|Ahv;:A,H-  (3) 

by  inversion  on  (t:Record)  with  (2). 
r  I  A  h  v;{v/4  :  Ah  •  (4) 

by  induction  hypothesis  on  (3)  with  (1). 
r  I  A  h  {f  =  v'{v/4}  :  [^]  H  •  (5) 

by  (t:  Record)  on  (4). 

r  I  A  h  ({£^}){v/a}  :  [ITA]  h  •  (6) 

by  (vs:5)  on  (5). 

Thus,  we  conclude. 


Case  (t: Selection)  -  We  have: 

r|-hv:!A'H- 

T,  A  :  A'  I  Ao  h  vo.£  :  A  H  Ai 

T,  A  :  A'  I  Ao  h  Vo  :  [£  :  A]  H  Ai 

T  I  Ao  I-  vo{v/4  :  [£  :  A]  H  Ai 

T  I  Ao  I-  vo{v/jc}.£  :  A  H  Ai 

T  I  Ao  I-  (vo.£){v/a}  :  a  h  Ai 


(1) 

(2) 

by  hypothesis. 

(3) 

by  inversion  on  (t:Selection)  with  (2). 

(4) 

by  induction  hypothesis  with  (1)  and  (3). 

(5) 

by  (t: Selection)  with  (4). 

(6) 

by  (vs:6)  on  (5). 
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Thus,  we  conclude. 


Case  (t: Application)  -  We  have: 

r  I  •  h  V  :  !A'  H  • 

r,  X  :  A'  I  A()  h  vq  Vi  '■  A\  h  A2 

r,  A  :  A'  I  Ao  h  Vo  :  Aq  -o  Ai  H  Ai 
r,  A  :  A'  I  Ai  h  vi  :  Aq  H  A2 

r  I  Aq  I-  Vo{v/a}  :  Aq  -o  Ai  h  Ai 
r  I  Ai  h  vi{v/a}  :  Ao  h  A2 
r  I  Ao  I-  Vo{v/a}  Vi{v/a}  :  Ai  h  A2 
r  I  Ao  I-  (vo  vi){v/a}  :  Ai  h  A2 
Thus,  we  conclude. 


(1) 

(2) 

by  hypothesis. 

(3) 

(4) 

by  inversion  on  (t:  Application)  with  (2). 

(5) 

by  induction  hypothesis  with  (1)  on  (3). 

(6) 

by  induction  hypothesis  with  (1)  on  (4). 

(7) 

by  (t: Application)  with  (5)  and  (6). 

(8) 

by  (vs:7)  on  (7). 


Case  (t: Function)  -  We  have: 


T  I  •  h  V  :  !A'  H  • 

T,  Aq  :  A'  I  A^  h  fLin(Ai  :  Ao).c  :  Ao  — o  Aj  H 
T,  Aq  :  A'  I  A^,  Ai  :  Ao  H  c  :  Aj  H  • 

Ao  X\ 

T  I  A'^,ai  :  Ao  I-  e{v/Ao}  :  Ai  H  • 

T  I  A*^  h  fLin(Ai  :  Ao).e{v/Ao}  :  Ao 


(1) 
(2) 

by  hypothesis. 

(3) 

by  inversion  on  (t:  Function)  with  (2). 

(4) 

by  def.  of  substitution  up  to  rename  of  bounded  variables. 

(5) 

by  induction  hypothesis  with  (3)  and  (1). 

Ai  H  •  (6) 

by  (t:Function)  with  (6). 

F  I  A*^  h  (fLin(Ai  :  Ao).c){v/ao}  :  Ao  -o  Ai  h  •  (7) 

by  (vs:4)  on  (6)  and  (4). 

Thus,  we  conclude. 


Case  (t:Forall-Loc)  -  We  have: 

F  I  •  h  V  :  !A'  H  •  (1) 

F,  A  :  A'  I  Ao  h  <0  e  :  Vt.A  H  •  (2) 

by  hypothesis. 

F,  t :  loc,  A  :  A'  I  Ao  h  c  :  A  H  •  (3) 
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r,  t :  loc  I  Ao  h  e{vlx]  :  A  -\  ■ 


r  I  Ao  I-  {t)e{vlx}  :  Vt.A  H  • 
r  I  Ao  I-  ({t)  e){vlx]  :  'it.A  H  • 
Thus,  we  conclude. 

Case  (t:Loc-App)  -  We  have: 

r|-hv:!A'H- 

r,  :  A'  I  Ao  h  vo[;?]  :  A{plt]  H  Ai 

p  :  loc  6  r,  jc :  A' 

r,  .jc :  A'  I  Ao  h  Vo  :  V?.A  H  Ai 

r  I  Ao  I-  Vo{v/jc}  :  VlA  h  Ai 
r  I  Ao  I-  vo{v/4[ju]  :  A{plt}  H  Ai 
r  I  Ao  I-  {vq{p]){vIx]  :  A{plt]  H  Aj 
Thus,  we  conclude. 


by  inversion  on  (t:Forall-Loc)  with  (2). 

(4) 

by  induction  hypothesis  on  (3)  with  (1). 

(5) 

by  (t:Forall-Loc)  with  (4). 

(6) 

by  (vs:  14)  on  (5). 


(1) 

(2) 

by  hypothesis. 

(3) 

(4) 

by  inversion  on  (t:Loc-App)  with  (2). 

(5) 

by  induction  hypothesis  with  (1)  and  (4). 

(6) 

by  (t:Loc-App)  with  (5)  and  (3). 

(7) 

by  (vs:  13)  on  (6). 


Case  (t:Loc-Open)  -  We  have: 


F|-hv:!A'H- 

F,  A  :  A'  I  Ao  h  open  {t,  xi)  =  vo  in  ei  end  :  Ai  h  Ai 


(1) 
(2) 

by  hypothesis. 

(3) 

(4) 

by  inversion  on  (t:Loc-Open)  with  (2). 

(5) 

by  def.  of  substitution  up  to  rename  of  bounded  variables. 

(6) 

by  induction  hypothesis  on  (3)  and  (1). 

(7) 

by  induction  hypothesis  on  (4)  and  (1). 
F  I  Ao  I-  open  {t, x{)  =  vo{v/a}  in  eiivjx]  end  :  Ai  h  Ai  (8) 

by  (t:Loc-Open)  with  (6)  and  (7). 
F  I  Ao  I-  (open  (t,  x\)  =  vo  in  ei  end){v/4  :  Ai  h  Ai  (9) 

by  (vs:  15)  on  (8)  and  (5). 


F,  X  :  A'  I  Ao  h  Vo  :  3t.Ao  H  Ai 

F,  t :  loc,  X  \  A'  \  Ai,  Ai  :  Ao  i-  :  Ai  H  A2 

Ao  Xi 

F  I  Ao  I-  vo{v/a}  :  3t.Ao  H  Ai 

F,  t :  loc  I  Ai,  Ai  :  Ao  I-  ci{v/a}  :  Ai  h  A2 
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Thus,  we  conclude. 


Case  (t:Loc-Pack)  -  We  have: 


r|-hv:!A'H- 

(1) 

r,  A  :  A'  Ao  h  {p,  Vo)  :  3t.A  H  Ai 

(2) 

r,  A  :  A'  1  Ao  h  Vo  :  A{plt}  H  Ai 

by  hypothesis. 

(3) 

r  1  Ao  1-  Vo{v/a}  :  A{p/t}  H  Ai 

by  inversion  on  (t:Loc-Pack)  with  (2). 

(4) 

r  1  Ao  1-  {p,vo{v/x])  :  3t.A  H  Ai 

by  induction  hypothesis  with  (1)  and  (3). 

(5) 

r  1  Ao  1-  «P,vo)){v/a}  :  3t.A  H  Ai 

by  (t:Loc-Pack)  with  (4). 

(6) 

Thus,  we  conclude. 

by  (vs:  12)  on  (5). 

Case  (t:Forall-Type)  -  Analogous  to  (t:Forall-Loc)  with  (vs:  18). 
Case  (t:Type-App)  -  Analogous  to  (t:Loc-App)  with  (vs:  17). 

Case  (t:Type-Pack)  -  Analogous  to  (t:Loc-Pack)  with  (vs:  16). 
Case  (t:Type-Open)  -  Analogous  to  (t:Loc-Open)  with  (vs:  19). 
Case  (t:Cap-Elim)  -  We  have: 


T  1  •  h  V  :  !A'  H  • 

(1) 

T,  A  :  A'  1  Ao,  Ao  :  Ao  ::  A2  i”  s  :  A;  H  Aj 

(2) 

T,  A  :  A'  1  Ao,  Ao  :  Ao, A2  i”  £  :  Aj  H  Aj 

by  hypothesis. 

(3) 

T  1  Ao,ao  :  Ao,A2  i-  e{vlx}  :  Ai  H  Ai 

by  inversion  on  (t:Cap-Elim)  with  (2). 

(4) 

r  Ao,  Ao  :  Ao  ::  A2  1-  e{vlx]  :  Ai  H  Ai 

by  induction  hypothesis  with  (1)  and  (3). 

(5) 

Thus,  we  conclude. 

by  (t:Cap-Elim)  with  (4). 

Case  (t:Cap-Stack)  -  We  have: 


El • h  V  : 

!A'  H  • 

(1) 

r,A  :  A' 

Ao  1-  e  :  Ao  ::  Ai  H  Ai 

(2) 

by  hypothesis. 

r,A  :  A' 

1  Ao  1-  e  :  Ao  H  Ai, Ai 

(3) 

by  inversion  on  (t:Cap-Stack)  with  (2). 
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r  I  Aq  I-  e{vlx}  :  Aq  h  Ai,Ai 
r  I  Ao  I-  e{vl x}  :  Aq  ::  Ai  H  Ai 
Thus,  we  conclude. 

Case  (t: Cap-Unstack)  -  We  have: 

r|-hv:!A'H- 

Y,x  :  A'  \  Aq\-  e  :  Aq  A  Ai,Ai 

r,  A  :  A'  I  Ao  I-  c  :  Aq  ::  Ai  H  Ai 
r  I  Ao  I-  e{vl x}  :  Ao  ::  Ai  H  Ai 
r  I  Ao  I-  c{v/a}  :  Ao  H  Ai,Ai 
Thus,  we  conclude. 


(4) 

by  induction  hypothesis  with  (1)  and  (3). 

(5) 

by  (t:Cap-Stack)  with  (4). 


(1) 

(2) 

by  hypothesis. 

(3) 

by  inversion  on  (t:Cap-Unstack)  with  (2). 

(4) 

by  induction  hypothesis  with  (1)  and  (3). 

(5) 

by  (t:Cap-Unstack)  with  (4). 


Case  (t:Frame)  -  We  have: 

T  I  •  h  V  :  !A'  H  • 

T,  X  :  A'  I  Ao  A2  A  A  A[  ®—  A2 

T,  A  :  A^  I  Ao  \-  e  A  A  A\ 

T  I  Ao  I-  c{v/a}  :  a  h  Ai 

T  I  Ao  A2  h  6\v ! x\  :  A  A  Aj  ®—  A2 

Thus,  we  conclude. 

Case  (t: Subsumption)  -  We  have: 

r|-hv:!A'H- 

r,  A  :  A'  I  Ao  I-  c  :  Aj  H  Aj 

Ao  <:  a; 

r,A:A'|  A'  he:AoH  a; 

Ao  <:  Ai 

a;  <:  Ai 

T  I  Aq  h  c{v/a}  :  Ao  H  A' 


(1) 

(2) 

by  hypothesis. 

(3) 

by  inversion  on  (t:Frame)  with  (2). 

(4) 

by  induction  hypothesis  with  (1)  and  (3). 

(5) 

by  (t:Frame)  with  A2. 


(1) 

(2) 

by  hypothesis. 

(3) 

(4) 

(5) 

(6) 

by  inversion  on  (t:Subsumption)  with  (2). 

(7) 

by  induction  hypothesis  with  (1)  and  (4). 
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r  I  Aq  h  6\v ! x\  ’  Ai  H  Aj 


(8) 

by  (t: Subsumption)  with  (7),  (3),  (5)  and  (6). 


Thus,  we  conclude. 

Case  (t:Tag)  -  We  have: 

r  I  •  h  V  :  !A'  H  •  (1) 

r,T:A'|Aohl#vo:  IMi  hAi  (2) 

by  hypothesis. 

r,  X  :  A'  I  Aq  h  vq  :  Ai  H  Aj  (3) 

by  inversion  (t:Tag)  with  (2). 
r  I  Aq  I-  VqIv/jc}  :  Ai  h  Aj  (4) 

by  induction  hypothesis  with  (1)  and  (3). 
r  I  Ao  h  l#vo{v/4  :  l#Ai  H  Ai  (5) 

by  (t:Tag)  with  (4). 

r  I  Ao  h  (l#vo){v/4  :  l#Ai  H  Ai  (6) 

by  (vs:20)  on  (5). 

Thus,  we  conclude. 

Case  (t:Case)  -  We  have: 

r|-hv:!A'H-  (1) 

T,  A  :  A'  I  Ao  h  case  vo  of  lj#Xj  ej  end  :  A  h  Ai  (2) 

by  hypothesis. 

r,x:A'\Ai\-vo:Y.ih#A'i^A'  (3) 

T,  A  :  A'  I  A',  Xi  :  A'  h  e;  :  A  H  A2  (4) 

i  <  j  (5) 

by  inversion  (t:Case)  with  (2). 

A  Xj  (6) 

by  def.  of  substitution  up  to  rename  of  bounded  variables. 
T  I  Ai  h  vo{v/a}  :  2,-  h#A'  H  A'  (7) 

by  induction  hypothesis  on  (3)  and  (1). 
T  I  A',  A;  :  A'  h  eAvIx]  :  A  H  A2  (8) 

by  induction  hypothesis  on  (4)  and  (1). 

T  I  Ai  h  case  vo{v/a}  of  lj#Xj  ej{vlx]  end  :  A  h  A2  (9) 

by  (t:Case)  on  (5),  (7)  and  (8). 
T  I  Ai  h  (case  vo  of  ly#Aj  ^  ej  end){v/A}  :  A  h  A2  (10) 

by  (vs:21)  on  (9)  and  (6). 

Thus,  we  conclude. 


Case  (t:Alternative-Left),  (t:Intersection-Right)  -  Immediate  by  applying  the  induction 
hypothesis  on  the  inversion  and  then  re-applying  the  rule. 
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Case  (t:Let)  -  Analogous  to  other  cases  such  as  (t:Loc-Open). 

Case  (t:Share),  (t:Focus-Rely),  (t: Defocus- Guarantee)  -  Immediate  since  x  cannot  occur 
free  in  these  expressions. 

□ 

3.  (Location  Variable) 

Proof.  We  proceed  by  induction  on  the  typing  derivation  of 
r,  t :  loc  I  A()  h  c  :  A  H  Ai- 

Case  (t:Ref)  -  We  have: 


r,po  :  loc,  t :  loc  I  •  hpo:refpoH-  (1) 

p  :  loc  6  r  (2) 

by  hypothesis. 

r,po  :  loc,  t :  loc  wf  (3) 

by  typing. 

(r,po  :  loc){p/t}  wf  (4) 

by  (Well-Formed  Type  Substitution  -  Gamma)  on  (3),  (2). 
r{p/t},po{p/t}  :  loc  wf  (5) 

by  (ls:3.3)  on  (4) 

T{plt],po{plt]  :  loc  I  •  h  po{p/t}  :  refpo{p/t}  h  •  (6) 

by  (t:Ref)  with  (5). 

(r,po  :  loc){p/t}  I  •  h  po{p/t}  :  (ref  po){p/t}  h  •  (7) 


by  (ls:3.3),  (ls:2.10)  on  (6) 

Thus,  we  conclude. 


Case  (t:Pure)  -  We  have: 

r,t:loc|-i-v:!AH- 
p  :  loc  e  T 

T,  t :  loc  I  •  h  V  :  A  H  • 

np/t}  I  •  [pit]  h  v{p/t}  :  A{p/t}  H  ip  It] 

np/t}  I  •  [pit]  h  v{plt]  :  !A{p/t}  H  ip  It] 

np/t}  I  •  [pit]  h  v{p/t}  :  (!A){p/t}  H  ip  It] 

Thus,  we  conclude. 


(1) 

(2) 


by  hypothesis. 

(3) 

by  inversion  on  (t:Pure)  with  (1). 

(4) 

by  induction  hypothesis  with  (2)  and  (3). 

(5) 

by  (t:Pure)  on  (4). 

(6) 

by  (ls:2.4)  on  (5) 
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Case  (t:Unit)  -  We  have: 


r,? :  loc  I  •  h  V  :  []  H  •  (1) 

p  :  loc  6  r  (2) 

by  hypothesis. 

r,  t :  loc  wf  (3) 

by  typing. 

r{p/t}  wf  (4) 

by  (Well-Formed  Type  Substitution  -  Gamma)  on  (3),  (2). 
npit]  I  •  h  V  :  []  H  •  (5) 

by  (t:Unit)  with  (4). 

np/t}  I  •  [pit]  h  v{p/t}  :  []{p/t}  H  -[pit]  (6) 

by  (ls2.7),  (ls4.1)  on  (5)  and  noting  that  regardless  if 
t  occurs  or  not  in  v  its  type  remains  unchanged. 

Thus,  we  conclude. 

Case  (t:Pure-Read)  -  We  have: 

T,  A  :  A,  t :  loc  I  •  h  A  :  !A  H  •  (1) 

p  :  loc  6  T  (2) 

by  hypothesis. 

T,x  :  A,t :  loc  wf  (3) 

by  typing. 

(T,  A  :  A){plt]  wf  (4) 

by  (Well-Formed  Type  Substitution)  on  (3),  (2). 
F{p/t},  A  :  A{p/t}  wf  (5) 

by  (ls:3.2)  on  (4) 

F{p/t},  A  :  A{plt}  I  •  h  jc :  !A{p/t}  H  •  (6) 

by  (t:Pure-Read)  with  (5). 

T{plt],x:  A{plt]  I  •  [p/t]  h  x{plt]  :  (!A){p/t}  H  -{p/t]  (7) 

by  (ls:3.1),  (ls:2.4),  (ls:1.2)  on  (6) 

Thus,  we  conclude. 

Case  (t:Linear-Read)  -  We  have: 

Y,t:loc\,x:A\-  x:A-\-  (1) 

p  :  loc  6  F  (2) 

by  hypothesis. 

(F,  t :  loc)  wf  (3) 

by  typing. 

F{p/t}  wf  (4) 

by  (Well-Formed  Type  Substitution)  with  (3)  and  (2). 

F,  t :  loc  h  A  type  (5) 
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by  (Well-Formed  Delta)  on  (1) 
Y{plt]  h  A{plt}  type  (6) 

by  (Well-Formed  Type  Substitution)  with  (6)  and  (2). 
F{p/t}  I  ;c  :  A{plt]  h  ;c :  A{plt]  H  •  (7) 

by  (t: Linear-Read)  with  (5). 

F{p/t}  I  (a  :  A){plt}  h  x{plt]  :  A{plt]  H  -[pit]  (8) 

by  (ls:4.2),  (ls:4.1),  (ls:1.2)  on  (7). 


Thus,  we  conclude. 


Case  (t:Pure-Elim)  -  We  have: 


F,  t :  loc  I  Aq,  X  :  IAq  \-  6  :  Ai  -i  Aj  (1) 

p  :  loc  6  F  (2) 

by  hypothesis. 

F,  t :  loc,  A  :  Aq  I  Aq  I-  e  :  Ai  H  Ai  (3) 

by  inversion  on  (t:Pure-Elim)  with  (1). 
(F,  A  :  Ao){p/t}  I  Ao{p/t}  h  e{plt]  :  Aiipjt]  H  Ai{p/t}  (4) 

by  induction  hypothesis  on  (3)  and  (2). 
F{p/t},  A  :  Ao{plt]  I  Ao{p/t}  h  e{plt]  :  Ai{p/t}  H  Ai{p/t}  (5) 

by  (ls:3.2)  on  (4) 

F{p/t}  I  Ao{p/t},A  :  !Ao{p/t}  i-  e{plt]  :  Aiipjt]  H  Ai{p/t}  (6) 

by  (t:Pure-Elim)  on  (5). 

F{p/t}  I  (Ao,  A  :  !Ao){p/t}  i-  e{plt}  :  Ai{p/t}  H  Ai{p/t}  (7) 

by  (ls:4.2)  on  (6) 

Thus,  we  conclude. 


Case  (t:New)  -  We  have: 

F,  t :  loc  I  Ao  I-  new  v  :  3to.(ref  to  ::  rw  to  A)  H  Ai  (1) 

p  :  loc  6  F  (2) 

by  hypothesis. 

F,  t :  loc  I  Ao  I-  V  :  A  H  Ai  (3) 

by  inversion  on  (t:New)  with  (1). 

F{p/t}  I  Ao{p/t}  h  v{p/t}  :  A{p/t}  H  Ai{p/t}  (4) 

by  induction  hypothesis  on  (2)  and  (3). 
F{p/t}  I  Ao{p/t}  h  new  v{p/t}  :  3to.(ref  to  "  rw  to  A{p/t})  H  Ai{p/t}  (5) 

by  (t:New)  with  (4). 

to  t  (6) 

by  def.  of  substitution  up  to  rename  of  bounded  location  variables. 
F{p/t}  I  Ao{p/t}  h  (new  v){p/t}  :  3to.(ref  to  ::  rw  to  A{p/t})  H  Adp/t}  (7) 

by  (ls:1.7)  on  (5). 

F{p/t}  I  Ao{p/t}  h  (new  v){p/t}  :  3to.(ref  to  ::  (rw  to  A){p/t})  H  Ai{p/t}  (8) 

by  (ls:2.12)  on  (7). 
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T{plt]  I  Ao{p/?}  h  (new  v){plt]  :  3?o.((ref  "  rw  ?o  A){plt])  H  Aijp/?}  (9) 

by  (ls:2.6)  on  (8)  and  (6). 

T{plt]  I  Aolp/?}  h  (new  v){plt]  :  (3?o.(ref  "  rw  ?o  A)){p/?}  H  Ai{p/?}  (10) 

by  (ls:2.9)  on  (9)  and  (6). 


Thus,  we  conclude. 


Case  (t: Delete)  -  We  have: 


r,  ? :  loc  I  Ao  h  delete  v  :  3tQ.A  h  Ai 
p  :  loc  6  r 


(1) 
(2) 

by  hypothesis. 

(3) 

by  inversion  on  (t:Delete)  with  (1). 
r{p/t}  I  Ao{p/t}  h  v{p/t}  :  (3to.(ref  to  "  rw  to  A)){p/t}  H  Ai{p/t}  (4) 

by  induction  hypothesis  on  (2)  and  (3). 

(5) 

by  def.  of  substitution  up  to  rename  of  bounded  location  variables. 
Ao{p/t}  h  v{p/t}  :  3to.((ref  to  ::  rw  to  A){p/t})  H  Ai{p/t}  (6) 

by  (ls:2.9)  on  (4)  and  (5). 

Ao{p/t}  h  v{p/t}  :  3to.((ref  to){p/t}  ::  (rw  to  A){p/t})  H  Ai{p/t}  (7) 

by  (ls:2.12)  on  (6). 

Ao{p/t}  h  v{p/t}  :  3to.(ref  to  ::  rw  to  A{p/t})  H  Ai{p/t}  (8) 

by  (ls:2.10),  (ls:2.3),  (ls:2.12)  on  (7). 
Ao{p/t}  h  v{p/t}  :  3to.(A{p/t})  H  Ai{p/t}  (9) 

by  (t:Delete)  on  (8). 

Ao{p/t}  h  v{p/t}  :  (3to.A){p/t}  H  Ai{p/t}  (10) 

by  (ls:2.9)  on  (5)  and  (9). 

Thus,  we  conclude. 


T,  t :  loc  I  Ao  h  V  :  3to.(ref  to  ::  rw  to  A)  H  Aj 


to  ^  t 

r{p/t} 

r{p/t} 

r{p/t} 

r{p/t} 

r{p/t} 


Case  (t:Assign)  -  We  have: 


T,  t :  loc  I  Ao  h  Vo  :=  vi  :  Ai  H  A2,  rw  p  Aq  (1) 

p  :  loc  6  T  (2) 

by  hypothesis. 

T,  t :  loc  I  Ao  h  Vj  :  Aq  h  Aj  (3) 

T,  t :  loc  I  Ai  h  Vo  :  ref  p  H  A2,  rw  p  Ai  (4) 

by  inversion  on  (t: Assign)  with  (1). 
r{p/t}  I  Ao{p/t}  h  Vi{p/t}  :  Ao{p/t}  H  Ai{p/t}  (5) 

by  induction  hypothesis  on  (3)  with  (2). 
r{p/t}  I  Ai{p/t}  h  vo{p/t}  :  (ref  p){p/t}  H  (A2,rw  p  Ai){p/t}  (6) 

by  induction  hypothesis  on  (4)  with  (2). 
r{p/t}  I  Ai{p/t}  h  vo{p/t}  :  ref  p{p/t}  H  A2{p/t},rw  p{p/t}  Ai{p/t}  (7) 


by  (ls:2.10),  (ls:4.3),  (ls:2.12)  on  (6). 


Ill 


T{plt]  I  Ai{p/?}  h  vo{plt]  :=  viiplt)  :  A^ipjt] 

H  A2{p/4,  rw  p{plt}  Ao{plt}  (8) 

by  (t:Assign)  on  (6)  and  (7). 

T{plt}  I  Ai{p/?}  h  (vo  :=  vi){plt]  :  Ai{plt}  H  (A2,rwp  Ao){p/?}  (9) 

by  (ls:1.10),  (ls:2.12),  (ls:4.3)  on  (8). 


Thus,  we  conclude. 


Case  (t: Dereference-Linear)  -  We  have: 

r,  ? :  loc  I  Ao  h  !v  :  A  H  Ai,rwp  []  (1) 

p  :  loc  6  r  (2) 

by  hypothesis. 

r,  t :  loc  I  Ao  h  V  :  ref  p  H  Ai,  rw  p  A  (3) 

by  inversion  on  (t:Dereference- Linear)  with  (1). 
r{p/t}  I  Ao{p/t}  h  V{plt]  :  (ref  p){p/t}  h  (Ai,rw  p  A){p/t}  (4) 

by  induction  hypothesis  with  (2)  and  (3). 
r{p/t}  I  Ao{p/t}  h  v{p/t}  :  ref  p{p/t}  H  Ai{p/t},rw  p{p/t}  A{p/t}  (5) 

by  (ls:4.3),  (ls:2.12),  (ls:2.10)  on  (4). 
r{p/t}  I  Ao{p/t}  h  !v{p/t}  :  A{p/t}  H  Ai{p/t},rw  p{p/t}  []  (6) 

by  (t:Dereference-Linear)  on  (5). 
r{p/t}  I  Ao{p/t}  h  (!v){p/t}  :  A{p/t}  H  (Ai,  rw  p  [])  (7) 

by  (ls:1.9),  (ls:4.3),  (ls:2.12),  (ls:2.3)  on  (6). 

Thus,  we  conclude. 


Case  (t: Dereference-Pure)  -  Analogous  to  (t:Dereference-Linear). 


Case  (t: Record)  -  We  have: 

T,  t :  loc  I  A  h  {£  =  v}  :  [£7A]  h  •  (1) 

p  :  loc  6  T  (2) 

by  hypothesis. 

T,  t :  loc  I  A  h  Vi  :  Ai  -\  ■  (3) 

by  inversion  on  (x: Record)  with  (1). 
T{p/t}  I  A{p/t}  h  ei{p/t}  :  A,{p/t}  H  -{p/t}  (4) 

by  induction  hypothesis  with  (2)  and  (3). 
Y{p/t}  I  A{p/t}  h  {f  =  v{p/t}}  :  [£  :  A{p/t}]  H  -{p/t}  (5) 

by  (t:  Record)  with  (4). 

Y{p/t}  I  A{p/t}  h  ({f^}){p/t}  :  ([£TA]){p/t}  H  -{p/t}  (6) 

by  (ls:1.4),  (ls:2.7)  on  (5). 

Thus,  we  conclude. 


Case  (t: Selection)  -  We  have: 
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r,  t  ’  loc  I  Aq  h  v.f(  ’  Ai  H  Aj  (1) 

p  :  loc  e  r  (2) 

by  hypothesis. 

r,  t :  loc  I  Ao  h  V  :  [£  :  A]  H  Ai  (3) 

by  inversion  on  (t:Selection)  with  (1). 
T{plt]  I  Ao{p/t}  h  v{p/t}  :  [£  :  A]{p/t}  H  Ai{p/t}  (4) 

by  induction  hypothesis  on  (1)  and  (3). 
T{plt]  I  Ao{p/t}  h  v{plt]  :  [£  :  A{p/t}]  H  Ai{p/t}  (5) 

by  (ls:2.7)  on  (4). 

T{plt]  I  Ao{p/t}  h  v{p/t}.£;  :  AApjt}  H  Ai{p/t}  (6) 

by  (t:  Selection)  on  (5). 

r{p/t}  I  Ao{p/t}  h  (v.£,){p/t}  :  Ai{plt]  H  Ai{p/t}  (7) 

by  (ls:1.5)  on  (6). 

Thus,  we  conclude. 

Case  (t: Application)  -  We  have: 

r,  t :  loc  I  Aq  I”  vq  vj  •  Ai  H  A2  (1) 

p  :  loc  6  r  (2) 

by  hypothesis. 

r,  t :  loc  I  Aq  h  Vo  :  Aq  —o  Ai  h  Aj  (3) 

r,  t :  loc  I  Aj  h  Vj  :  Aq  h  A2  (4) 

by  inversion  on  (t: Application)  with  (1). 
r{p/t}  I  Ao{p/t}  h  vo{p/t}  :  (Ao  ^  Ai){p/t}  H  Ai{p/t}  (5) 

by  induction  hypothesis  on  (2)  and  (3). 
r{p/t}  I  Ai{p/t}  h  vi{p/t}  :  Ao{p/t}  H  A2{p/t}  (6) 

by  induction  hypothesis  on  (2)  and  (4). 
r{p/t}  I  Ao{p/t}  h  vo{p/t}  :  Ao{p/t}  ^  Ai{p/t}  H  Ai{p/t}  (7) 

by  (ls:2.5)  on  (5). 

r{p/t}  I  Ao{p/t}  h  (vo  Vi){p/t}  :  Ao{p/t}  H  A2{p/t}  (8) 

by  (t: Application)  on  (6)  and  (7),  and  (ls:1.6). 

Thus,  we  conclude. 

Case  (t: Function)  -  We  have: 

T,  t :  loc  I  A  h  fun(A  :  Ao).e  :  Aq  ^  Ai  H  •  (1) 

p  :  loc  e  T  (2) 

by  hypothesis. 

T,  t :  loc  I  A,  A  :  Aq  I-  c  :  Ai  H  •  (3) 

by  inversion  on  (t: Function)  with  (1). 
r{p/t}  I  (A,  A  :  Ao){p/t}  I-  e{p/t}  :  Ai{p/t}  H  -{p/t}  (4) 

by  induction  hypothesis  on  (2)  and  (3). 
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T{plt}  I  ^{plt],x:  Aolp/?}  I-  e{plt}  :  A^{plt}  H  -{pit}  (5) 

by  (ls:4.2)  on  (4). 

T{plt]  I  A{p/?}  h  fun(;c  :  Ao{plt]).e{plt]  :  Ao{p/?}  ^  Ai{plt]  H  -[pit]  (6) 

by  (t:Function)  on  (5). 

T{plt}  I  A{p/?}  h  (fun(;c :  Ao).e){p/?}  :  (Aq  ^  Ai){plt}  H  -[pit]  (7) 

by  (ls:1.3),  (ls:2.5)  on  (6). 

Thus,  we  conclude. 


Case  (t:Forall-Loc)  -  We  have: 


r,  t :  loc  I  Aq  h  (?o)  £  :  V?o.A  H 
p  :  loc  6  r 

r,  t :  loc,  ?o  :  loc  I  Ao  h  e  :  A  H 

to  ^  t 


(1) 
(2) 

by  hypothesis. 

(3) 

by  inversion  on  (t:Forall-Loc)  with  (1). 

(4) 

by  def.  of  substitution  up  to  rename  of  bounded  location  variables. 
(F,  to  :  loc){p/t}  I  Ao{p/t}  h  e{plt}  :  A{p/t}  H  -{pit}  (5) 

by  induction  hypothesis  with  (2)  and  (3). 
F{p/t},  to  :  loc  I  Ao{p/t}  h  e{p/t}  :  A{p/t}  H  -[pit]  (6) 

by  (ls:3.3),  (ls:2.3)  with  (4)  on  (5). 
F{p/t}  I  Ao{p/t}  h  (to)  e{p/t}  :  Vto.A{p/t}  H  -[pit]  (7) 

by  (t:Forall-Loc)  on  (6). 

F{p/t}  I  Ao{p/t}  h  ((to)  e){p/t}  :  (Vto.A){p/t}  H  -{pit}  (8) 

by  (ls:1.13),  (ls:2.8)  with  (4)  on  (7). 

Thus,  we  conclude. 


Case  (t:Loc-App)  -  We  have: 


F,t :  loc  I  Ao  h  v[p]  :  A{p/to}  h  Ai 
p  :  loc  6  F 

p  :  loc  e  F 

F,  t :  loc  I  Aq  h  V  :  Vto.A  H  Aj 


(1) 
(2) 

by  hypothesis. 

(3) 

(4) 

by  inversion  on  (t:Loc-App)  with  (1). 
F{p/t}  I  Ao{p/t}  h  v{p/t}  :  (Vto.A){p/t}  H  Ai{p/t}  (5) 

by  induction  hypothesis  with  (2)  and  (4). 
p{p/t}  :  loc  6  F{p/t}  (6) 

by  induction  hypothesis  with  (2)  and  (3),  and  by  (ls:3.3). 
to  t  (7) 

by  def.  of  substitution  up  to  rename  of  bounded  location  variables. 
F{p/t}  I  Ao{p/t}  h  v{p/t}  :  Vto.A{p/t}  H  Ai{p/t}  (8) 

by  (ls:2.8),  (7)  on  (5). 
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T{plt]  I  Ao{p/?}  h  v{plt]{p{plt]]  :  A{plt]{plto]  H  Ai{p/?} 
T{plt}  I  Ao{p/?}  h  (v[p]){p/?}  :  A{plt]{plto]  H  Ai{p/?} 


(9) 

by  (t:Loc-App)  on  (8)  and  (6). 

(10) 

by  (ls:1.12)  on  (8). 


Thus,  we  conclude. 


Case  (t:Loc-Pack)  -  We  have: 


Y,t :  loc  I  Ao  h  (p,v)  :  3?o.A  H  Ai 
p  :  loc  6  r 

r,  t :  loc  I  Ao  h  V  :  A{p/?o}  H  Ai 


(1) 
(2) 

by  hypothesis. 

(3) 

by  inversion  on  (t:Loc-Pack)  with  (1). 
r{p/t}  I  Ao{p/t}  h  v{p/t}  :  A{p/to}{p/t}  H  Ai{p/t}  (4) 

by  induction  hypothesis  on  (3)  and  (2). 
to  ^  t  (5) 

by  def.  of  substitution  up  to  rename  of  bounded  location  variables, 
r  I  Ao{p/t}  h  v{p/t}  :  A{p/t}{p/to}  H  Ai{p/t}  (6) 

by  (4)  and  (5). 

r{p/t}  I  Ao{p/t}  h  <p{p/t},v{p/t})  :  3to.A[plt]  H  Ai{p/t}  (7) 

by  (t:Loc-Pack)  on  (6)  and  because  p  must  be  in  T. 
(therefore,  its  substitution  must  also  occurred  by  (ls:3.3)). 
r{p/t}  I  Ao{p/t}  h  «p,v)){p/t}  :  (3to.A){p/t}  H  Ai{p/t}  (8) 

by  (ls:1.11),  (ls:2.9)  on  (7),  (5). 

Thus,  we  conclude. 


Case  (t:Loc-Open)  -  We  have: 

T,  t :  loc  I  Ao  h  open  (to,  x)  =  vo  in  ei  end  :  Ai  h  A2  (1) 

p  :  loc  6  T  (2) 

by  hypothesis. 

T,  t :  loc  I  Ao  h  Vo  :  3to.Ao  h  Aj  (3) 

T,  t :  loc,  to  :  loc  I  Ai,a  :  Ao  h  Cl  :  Ai  H  A2  (4) 

by  inversion  on  (x: Loc- Open)  with  (1). 
r{p/t}  I  Ao{p/t}  h  Vo{p/t}  :  (3to.Ao){p/t}  H  Ai{p/t}  (5) 

by  induction  hypothesis  on  (2)  and  (3). 
(r,to  :  loc){p/t}  I  (Ai,a:  :  Ao){p/t}  h  Ci{p/t}  :  Ai{p/t}  H  A2{p/t}  (6) 

by  induction  hypothesis  on  (2)  and  (4). 
to  t  (7) 

by  def.  of  substitution  up  to  rename  of  bounded  location  variables. 
r{p/t},  to  :  loc  I  Ai{p/t},  A  :  Ao{p/t}  h  ei{p/t}  :  Ai{p/t}  H  A2{p/t}  (8) 

by  (ls:3.3),  (ls:4.2)  on  (7),  (6). 
r{p/t}  I  Ao{p/t}  h  vo{p/t}  :  3to.Ao{p/t}  H  Ai{p/t}  (9) 
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T{plt]  I  Ao{p/?}  h  open  {to,x)  =  vo{p/?} 
in  e\{plt]  end  :  Ai{p/?}  h  A2{p/?} 


by  (ls:2.10)  on  (5),  (7). 


(10) 

by  (t:Loc-Open)  on  (8)  and  (9). 
T{plt]  I  Aolp/?}  h  (open<?o,4  =  vq  in  end){p//‘}  :  Ai{plt]  h  A2{p/?}  (11) 

by  (ls:1.14)  on  (10). 


Thus,  we  conclude. 


Case  (t:Forall-Type)  -  Analogous  to  (t:Forall-Loc). 

Case  (t:Type-App)  -  Analogous  to  (t:Loc-App). 

Case  (t:Type-Pack)  -  Analogous  to  (t:Loc-Pack). 

Case  (t:Type-Open)  -  Analogous  to  (t:Loc-Open). 

Case  (t:Cap-Elim)  -  We  have: 

r,  t :  loc  I  Ao,  X  :  Ai  ::  A2  e  :  Ao  -\  Ai  (1) 

p  :  loc  6  r  (2) 

by  hypothesis. 

Y,t :  loc  I  Aq,  X  :  Ai, A2  e  :  Aq  A  Ai  (3) 

by  inversion  on  (t:Cap-Elim)  with  (1). 
r{p/t}  I  (Ao,a:  :  Ai,A2){plt}  h  e{plt}  :  Ao{p/t}  H  Ai{p/t}  (4) 

by  induction  hypothesis  with  (2)  and  (3). 
r{p/t}  I  Ao{p/t},A: :  Ai{plt},A2{plt}  h  e{p/t}  :  Ao{p/t}  H  Ai{p/t}  (5) 

by  (ls:4.3),  (ls:4.2)  on  (4). 

r{p/t}  I  Aolp/O,  A  :  Aiipjt]  ::  A2{plt]  h  e{plt]  :  AqIp/O  h  Ai{p/t}  (6) 

by  (t:Cap-Elim)  with  (5). 

r{p/t}  I  (Ao,a  :  Ai  ::  A2){p/t}  1-  e{plt)  :  Ao{p/t}  h  Ai{p/t}  (7) 

by  (ls:4.2),  (ls:2.6)  on  (6). 

Thus,  we  conclude. 


Case  (t:Cap-Stack),  (t: Cap-Unstack)  -  Analogous  to  (t:Cap-Elim). 


Case  (t: Frame)  -  We  have: 

E,  t :  loc  I  Aq  A2  h  c  :  A  H  A;  ®—  A2 
p  :  loc  6  E 

E,  t :  loc  I  Aq  h  c  :  a  h  Aj 

E{p/t}  I  Ao{p/t}  h  e{plt]  :  A{p/t}  H  Ai{p/t} 

E,  t :  loc  h  Ao  ®-  A2 


(1) 

(2) 

by  hypothesis. 

(3) 

by  inversion  on  (t:Frame)  with  (1). 

(4) 

by  induction  hypothesis  with  (2)  and  (3). 

(5) 
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by  typing  on  (1). 

r{p/t}  h  (Ao{p/t})  ®-  (A2{p/t})  (6) 

by  (Well-Formed  Type  Substitution  -  Delta)  on  (5)  and  (2) 

and  by  (ls:4.*). 

T{plt]  h  ^2{p|t}  (7) 

by  (Well-Formed  Delta)  on  (6). 
F{p/t}  I  Ao{p/t}  ®-  Aalp/t}  h  e{plt]  :  A{plt]  H  Adp/t}  ®-  A2{p/t}  (8) 

by  (t:Frame)  on  (7)  and  (4). 

F{p/t}  I  (Ao  ®-  A2){p/t}  h  e{plt}  :  A{plt]  H  (Ai  ®-  A2){p/t}  (9) 

and  by  (ls:4.*). 

Thus,  we  eonelude. 


Case  (t: Subsumption)  -  We  have: 


F,  t :  loc  I  Aq  h  s  Ai  h  Aj 
p  :  loc  6  F 


(1) 
(2) 

by  hypothesis. 

(3) 

(4) 

(5) 

(6) 

by  inversion  on  (t: Subsumption)  with  (1). 

(7) 

by  induetion  hypothesis  on  (4)  with  (2). 

(8) 

by  typing  on  (1). 

(9) 

by  (Well-Formed  Type  Substitution  -  Gamma)  on  (8),  (2). 

(10) 

by  (3)  and  (9). 

(11) 
(12) 

analogous  reasoning  using 
(Well-Formed  Type  Substitution  -  Delta)  on  (5)  and  (6). 
F{p/t}  I  Ao{p/t}  h  e{p/t}  :  Ai{p/t}  H  A.\{plt]  (13) 

by  (t:Subsumption)  on  (7),  (10),  (11)  and  (12). 

Thus,  we  eonelude. 


A()  <:  a; 

F,  t :  loc  I  A[)  h  e  :  Ao  H  A' 

Aq  <:  Aj 

a;  <:  Ai 

F{p/t}  I  A[){p/t}  h  e{plt]  :  Ao{p/t}  H  A\{plt} 

F,  t :  loc  h  Aq 

F{p/t}  h  Aolp/O 

A(){p/t}  <:  A^{p/t} 

Aoip/O  <:  Ailp/O 
A;{p/t}  <:  Ailp/d 


Case  (t:Tag)  -  We  have: 

F,  t :  loc  I  Ao  h  l#v  :  1#A  H  Ai 
p  :  loc  6  F 


(1) 

(2) 

by  hypothesis. 
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r,  t  ’  loc  I  Aq  h  V  ’  a  h  Aj 


(3) 

by  inversion  on  (t:Tag)  with  (1). 
T{plt]  I  Ao{p/t}  h  v{plt}  :  A{plt}  H  Ai{p/t}  (4) 

by  induction  hypothesis  on  (3)  and  (2). 
r{p/t}  I  Ao{p/t}  h  l#v{p/t}  :  lM{p/t}  H  Ai{p/t}  (5) 

by  (t:Tag)  on  (4). 

r{p/t}  I  Ao{p/t}  h  (l#v){p/t}  :  (lM){p/t}  H  Ai{p/t}  (6) 

by  (ls:1.19),  (ls:2.18)  on  (5). 


Thus,  we  conclude. 


Case  (t:Case)  -  We  have: 


r,  t :  loc  I  Ao  h  case  v  of  lj#Xj  ^  cy  end  :  A  h  A2 
p  :  loc  6  r 

r,  t :  loc  I  Ai  h  V  :  2,- 1;#^;  h  A' 


r,  t :  loc  I  A',  Xi  :  a;  h  e;  :  A  H  A2 
i<i 


r{p/t} 

npit] 


r{p/t} 


r{p/t} 

npIt) 

npit] 


(1) 
(2) 

by  hypothesis. 

(3) 

(4) 

(5) 

by  inversion  (t:Case)  with  (1). 
Ai{p/t}  h  v{p/t}  :  (X;  l,#A'){p/t}  H  A'{p/t}  (6) 

by  induction  hypothesis  on  (3)  and  (2). 
Ai{p/t}  h  v{p/t}  :  Z,-  l,#(A'{p/t})  H  A'{p/t}  (7) 

by  (ls:2.18)  on  (6). 

(A',  A;  :  A'){p/t}  h  eApIt}  :  A{p/t}  H  A2{p/t}  (8) 

by  induction  hypothesis  on  (4)  and  (2). 
A',  A,-  :  A;{p/t}  h  eApIt)  :  A{p/t}  H  A2{p/t}  (9) 

by  (ls:4.2)  on  (8). 

Ao{p/t}  h  case  v{p/t}  of  ly#A^-  ^  cyfp/t}  end  :  A{p/t}  h  A2{p/t}  (10) 

by  (t:Case)  on  (5),  (7)  and  (9). 

(11) 


Aofp/O  I-  (case  v  of  ly#Ay  ^  ej  end){p/t}  :  A{p/t}  h  A2{p/t} 


by  (ls:1.20)  on  (10). 


Thus,  we  conclude. 


Case  (t:Alternative-Left),  (t:Intersection-Right)  -  Immediate  by  applying  the  induction 
hypothesis  on  the  inversion  and  then  re-applying  the  rule. 

Case  (t:Let)  -  Analogous  to  (t:Loc-Open). 

Case  (t:Share),  (t:Focus-Rely),  (t:Deeocus- Guarantee)  -  Immediate  by  applying  the  re¬ 
spective  substitution  rules. 


□ 


4.  (Type  Variable),  analogous  to  the  (Location  Variable)  proof. 
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□ 
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B.IO  Values  Lemma 

Lemma  11  (Values  Lemma).  If  v  is  a  elosed  value  sueh  that: 

r  I  A  h  V  :  A  H  A' 

then: 

A  <:  A' 

Proof.  By  induetion  on  the  typing  derivation 


Case  (t:Ref)  -  We  have: 

r,p  :  loc  I  •  h  p  :  ref  pH-  (1) 

by  hypothesis. 

Thus,  by  making: 

C  =  •  (2) 

A'  =  •  (3) 

We  immediately  eonelude. 

Case  (t:Pure)  -  We  have: 

f|-hv:!AH-  (1) 

by  hypothesis. 

Thus,  by  making: 

5""  =  •  (2) 

A'  =  •  (3) 

We  immediately  eonelude. 

Case  (t:Unit)  -  We  have: 

f|-hv:[]H-  (1) 

by  hypothesis. 

Thus,  by  making: 

A,""  =  •  (2) 

A'  =  •  (3) 

We  immediately  eonelude. 


Case  (t:Pure-Read),  (t:Linear-Read)  -  value  not  elosed. 

Case  (t:Pure-Elim)  -  Environment  not  elosed. 

Case  (t:New),(t:Delete),  (t:  Assign),  (t:Dereference- Linear),  (t:Dereference-Pure)  -  Not  a  value. 


r  I  Ay  i-v:Ah- 
of  r  I  A  h  V  :  A  H  A'. 
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Case  (t:Record)  -  We  have: 


r|Aoh{f  =  v}:[£:A]HAi 

r  I  Aq  h  V  :  a  h  Aj 

—  — 

A()  <:  Ay  ,  Ai 

r  I  Ay  h  V  :  A  H  • 

r  I  Ay^  h  {£^1  :  [£TA]  h  • 

Therefore,  by  (3)  and  (5)  we  conclude. 

Case  (t:Selection)  -  Not  a  value. 

Case  (t:Application)  -  Not  a  value. 

Case  (t: Function)  -  We  have: 

r  I  iSp  h  fLin(v: :  Ao).c  :  Aq  — o  Aj  H  • 

Thus,  by  making: 

A'  =  • 

We  immediately  conclude. 

Case  (t:Forall-Loc)  -  We  have: 

T  I  A  h  <0  e  :  'it. A  H  • 

Thus,  by  making: 

A'  =  • 

We  immediately  conclude. 

Case  (t:Loc-App)  -  Not  a  value. 

Case  (t:Loc-Pack)  -  We  have: 

f  I  Ah  <;?,v)  :  3t.A  H  • 

T  I  A  h  V  :  A{plt}  H  • 

—  — G 

A  <:  Ay  ,• 


(1) 

by  hypothesis. 

(2) 

by  inversion  on  (t: Record)  with  (1). 

(3) 

(4) 

by  induction  hypothesis  on  (2). 

(5) 

by  (t:  Record)  on  (4). 


(1) 

by  hypothesis. 

(2) 


(1) 

by  hypothesis. 

(2) 


(1) 

by  hypothesis. 

(2) 

by  inversion  on  (t:Loc-Pack)  with  (1). 

(3) 
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r  I  Av  h  V  :  A{plt}  H  • 

r  I  Av  I-  {p,v)  :  3t.A  H  • 

Therefore,  by  (3)  and  (5)  we  conclude. 

Case  (t:Loc-Open)  -  Not  a  value. 

Case  (t:Forall-Type)  -  We  have: 

r  I  A^  h  {X)e  :  'iX.A  H  • 

Thus,  by  making: 

A'  =  • 

We  immediately  conclude. 

Case  (t:Type-App)  -  Not  a  value. 

Case  (t:Type-Pack)  -  We  have: 

f  I  Ah  <Ai,v)  :  3X.Ao  H  • 

f  |Ahv:Ao{Ai/A}H- 

—  — G 

A  <:  Av  ,• 

r|A;^hv:Ao{Ai/A}H- 

r|  a;""  h  <Ai,v)  :  3X.Ao  H  • 

Therefore,  by  (3)  and  (5)  we  conclude. 

Case  (t:Type-Open)  -  Not  a  value. 

Case  (t:Cap-Elim)  -  Environment  not  closed. 
Case  (t: Cap- Stack)  -  We  have: 

T  I  Aq  h  V  :  Aq  a  I  H  Aj 

r  I  Ao  h  V  :  Aq  H  Ai,  Ai 

—  — G  — 

A()  <:  Ay  ,  Ai, Ai 


by  induction  hypothesis  on  (2). 

(5) 

by  (t:Loc-Pack)  on  (4). 


(1) 

by  hypothesis. 


(1) 

by  hypothesis. 

(2) 

by  inversion  on  (t:Type-Pack)  with  (1). 

(3) 

(4) 

by  induction  hypothesis  on  (2). 

(5) 

by  (t:Type-Pack)  on  (4). 


(1) 

by  hypothesis. 

(2) 

by  inversion  on  (t:Cap-Stack)  with  (1). 

(3) 
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r  I  Ay  h  V  :  Aq  H  • 


(4) 

by  induction  hypothesis  on  (2). 

—  — G 

r  I  Ay  ,Ai  h  V  :  Aq  h  Ai  (5) 

by  (t:Frame)  on  (4)  using  Ai. 

—  G 

Note  that  this  application  of  (t:Frame)  can  be  applied  directly  since  Ay  . 

—  — G 

r  I  Ay  ,Ai  h  V  :  Aq  ::  Aj  h  •  (6) 

by  (t:Cap-Stack)  on  (5). 

Therefore,  by  (3)  and  (6)  we  conclude. 

(note  that  Af  is  immediate  since  a  defocus-guarantee  is  not  a  type) 

Case  (t:Cap-Unstack)  -  We  have: 


F  Ao  1-  V  :  Aq  H  Ai,  Ai 

(1) 

by  hypothesis. 

F  1  Aq  i-  V  :  Aq  ::  Aj  h  Ai 

G  — 

(2) 

by  inversion  on  (t:Cap-Unstack)  with  (1). 

A()  <:  Ay  ,  Ai 
—  — -G 

(3) 

F  1  Ay  h  V  :  Aq  a  1  H  • 

—  — G 

(4) 

by  induction  hypothesis  on  (2). 

F  1  Ay  h  V  :  Aq  h  Ai 

—  G  — G 

(5) 

by  (t:Cap-Unstack)  with  (4). 

Ay  <:  a;  ,Ai 

—  — G 

(6) 

F  A(  h  V  :  Aq  H  • 

(7) 

by  induction  hypothesis  on  (5). 

A()  <:  A(,  ,Ai,  Ai 

Therefore,  by  (7)  and  (8)  we  conclude. 

(t: Frame)  -  We  have: 

(8) 

by  transitivity  of  subtyping  with  (3)  and  (6). 

F  1  Aq  ® —  A2  h  V  :  A  H  A^  ® —  A2 

(1) 

by  hypothesis. 

F  1  Aq  h  V  :  a  h  A^ 

— -G  — 

(2) 

by  inversion  on  (t:Frame)  with  (1). 

Aq  <:  Ay  ,  Ai 

—  — G 

(3) 

F  1  Ay  h  V  :  A  H  • 

(4) 

by  induction  hypothesis  on  (2). 

Aq  ®—  A2  <:  Ay  ,  (Ai  ®—  A2) 

(5) 
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by  (1)  A2  can  be  ®-  to  Aq. 

Therefore,  by  (4)  and  (5)  we  immediately  conclude. 

Case  (t: Subsumption)  -  We  have: 


r  I  Ao  I-  V  :  Ai  H  Ai  (1) 

by  hypothesis. 

<:  a;  _  (2) 

r  I  a;  h  V :  Ao  H  a;  (3) 

a;  <:  Ai  (5) 

by  inversion  on  (t:Subsumption)  with  (1). 

(6) 

r  I  A,""  h  V  :  Ao  H  •  (7) 

by  induction  hypothesis  on  (3). 

A^cAv^Ai  (8) 

by  transitivity  of  subtyping  with  (5)  and  (6). 

A()  <:  Ay  ,  Ai  (9) 

by  transitivity  of  subtyping  with  (2)  and  (8). 

r  I  Ay^  h  V  :  Ai  H  •  (10) 


by  (t:Subsumption)  with  (sd:Symmetry)  and  (4)  on  (7). 
Therefore,  by  (9)  and  (10)  we  conclude. 

Case  (t:Tag)  -  We  have: 


T  I  Ao  h  l#v  :  1#A  H  • 

T  I  Aq  h  V  :  a  h  • 

—  —G  — 

A()  <:  Ay  ,  Ai 

T  I  Ay  h  V  :  A  H  • 

f  I  Ay^  h  l#v  :  1#A  H  • 

Therefore,  by  (5)  and  (3)  we  conclude. 

Case  (t:Case)  -  Not  a  value. 

Case  (t:Alternative-Left)  -  We  have: 


(1) 

by  hypothesis. 

(2) 

by  inversion  on  (t:Tag)  with  (1). 

(3) 

(4) 

by  induction  hypothesis  on  (2). 


(5) 

by  (t:Tag)  on  (4). 
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r  I  Aq,Aq  © Aj  h  V ;  A2  H  Aj  (1) 

by  hypothesis. 

r  I  Aq  h  V  :  A2  h  (2) 

r  I  Ao,Ai  h  V  :  A2  H  Ai  (3) 

by  inversion  on  (t: Alternative-Left)  with  (1). 

A(),Ao  <:  Ay  ,Ai  (4) 

f  I  Ay""  h  V  :  A2  H  •  (5) 

by  induction  hypothesis  on  (2). 

—  — G  — 

Ai  <:  Ay  ,  Ai  (6) 

f  I  Ay""  h  V  :  A2  H  •  (7) 

by  induction  hypothesis  on  (3). 


(note:  by  (t: Subsumption)  both  applications  of  the  i.h.  yield  the  same  Ay  ) 

A(),Ao©Ai<:Ay  ,Ai  (8) 

by  (sd:Alternative-L)  on  (4)  and  (6). 


Therefore,  by  (8)  and  (7)  we  conclude. 


Case  (t: Intersection-Right)  -  We  have: 


r  I  Ao  I-  V  :  Aq  -I  Ai,Ai&A2  (1) 

by  hypothesis. 

r  I  h  V  :  Aq  -I  ■^0^1  (2) 

r  I  Ao  I-  V  :  Aq  -I  Ai,A2  (3) 

by  inversion  on  (t:Intersection- Right)  with  (1). 

A()  <:  Ay  ,  Ai, Ai  (4) 

r  I  Ay""  h  V  :  Ao  H  •  (5) 

by  induction  hypothesis  on  (2). 

—  — G  — 

Ao  <:  Ay  ,  Ai, A2  (6) 

r  I  Ay""  h  V  :  Ao  H  •  (7) 

by  induction  hypothesis  on  (3). 


(note:  by  (t: Subsumption)  both  applications  of  the  i.h.  yield  the  same  Ay  ) 

A()  <:  Ay  ,Ai,Ai&A2  (8) 

by  (sd:Intersection-R)  on  (4)  and  (6). 


Thus,  by  (8)  and  (7)  we  conclude. 


Case  (t:Let),  (t:Share),  (t:Focus-Rely),  (t: Defocus- Guarantee)  -  Not  values. 


□ 
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B.ll  Preservation 

Theorem  3  (Preservation).  If  cq  is  a  closed  expression  such  that: 


To  I  Aq  I-  eo  •  ^  ^  ^ 

To  I  A()  ®-  A2  Hq  (  //q  II  ^0  )  (  Hi  II  ei  ) 


then: 


ro.Pi  I  Ai  ®-  A2  h  Hi 


To,  Pi  I  Ai  h  :  A  H  A 


for  some  Ai.Fi. 

Proof.  By  induction  on  the  typing  derivation  of  Fq  I  Aq  i-  eo  :  A  H  A. 

Case  (t:Ref),  (t:Pure),  (t:Unit)  -  are  values. 

Case  (t:Pure-Read),  (t:Linear-Read),  (t:Pure-Elim)  -  not  applicable,  environments  not  closed. 
Case  (t:New)  -  We  have: 


Fo  I  Ao  I-  new  v  :  3t.(ref  t ::  rw  t  A)  H  A 
Fq  I  Aq  A2  h  H 

{  H  II  new  v)\-^{H,p^v\\  <p,p)  ) 
Fq  I  Aq  h  V  :  a  h  a 
<^Av,  A 

Pq  I  Ay  h  V  :  A  H  • 

p  fresh 

Fq  I  Ay,  A  ®—  A2  h  H 


(1) 

(2) 

(3) 

by  hypothesis,  with  (d:New). 

(4) 

by  inversion  on  (t:New)  with  (1). 

(5) 

(6) 

by  (Values  Lemma)  with  (4). 

(7) 

by  inversion  on  (d:New)  with  (3). 

(8) 

by  (Subtyping  Store  Typing)  with  (2)  and  (5). 
(note  that  ®-  relation  remains  unaffected) 


Thus,  if  we  make: 

Yi=  p:\oc  (9) 

We  have  that: 

Po'>Pi|Ayi-v:AH-  (10) 

by  (Weakening)  (6)  with  F 1 . 

(note  that  weakening  is  only  valid  in  the  lexical  environments,  F) 
Yo,f'i\K,A^A2h  H  _  (11) 

by  (str:Loc)  with  Fi  (that  contains  p)  on  (8). 

H  =  H^,H^  (12) 

A'  =  A2  \  A"  (13) 
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ro,ri  I  A®-  A"  h  Hq 
ro,ri  I  Ay,  A  h  Hq 

fo,fi|  A^h/Zi 

ro,ri  I  A,rwpA  \-  Hq,  p^v 

Fo,  Ti  I  Av,  A,  rw  p  A  ®-  A"  Hq  ,  p  ^  v 

ro,ri  I  A,  rwp  A  ®-  A2  I-  //  ,  p  V 

by  (Store  Typing 


(14) 

(15) 

(16) 

by  (Store  Typing  Extension)  on  (1 1) 

(17) 

by  (str:Binding)  with  (10)  and  (15). 

(18) 

sinee  p  is  fresh  and  (14)  and  (17). 

(19) 

Extension)  on  (12),  (13),  (16),  (18). 


Thus,  if  we  make: 

Ai  =  A,rwp  A 
We  have  that: 

To,  El  I  •  h  p  :  refp  H 


(20) 


(21) 

by  (t:Ref)  with  p. 

To,  Ti  I  Ai  h  p  :  ref  p  H  Ai  ^  (22) 

by  (t:Erame)  on  (21)  with  Ai  (sinee  •  is  empty,  frame  is  immediate). 
ro,ri  I  Ai  hp  :  refp  ::  rwp  A  H  A  (23) 

by  (t:Cap-Stack)  on  (22)  noting  that  (20). 

If  t  fresh  then: 

EcEi  I  Ai  hp  :  (refp  ::  rwpA){p/t}  H  A  (24) 

by  type  substitution  on  (23). 


Note  that,  by  (4),  p  cannot  occur  in  A  since  it  is  a  fresh  location  constant  not  present  in  Eq. 


ro,Ei  I  Ai  h  (p,p)  :  3t.(ref  t ::  rw  t  A)  H  A 
Thus: 

ro,Ei  I  Ai  h  (p,p)  :  3t.(ref  t ::  rw  t  A)  H  A 
for  some  Ai,ri. 


(25) 

by  (t:Eoc-Pack)  on  (24). 


(26) 


Therefore,  by  (19)  and  (26)  we  conclude. 
Case  (t:Delete)  -  We  have: 


by  (25). 


Fo  I  Ao  h  delete  (p,p)  :  3t.A  h  A 

Eq  I  Aq  ®—  A2  h  H  ,  p  ^ — >  V 

{H  ,  p^v\\  delete  (p,p)  )  i-a  (  i7 1|  (p,  v)  ) 

Eq  I  Aq  h  (p,p)  :  3t.(ref  t ::  rw  t  A)  -\  A 


(1) 

(2) 

(3) 

by  hypothesis,  with  (d: Delete). 

(4) 

by  inversion  on  (t:Delete)  with  (1). 
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<^Ap,  A 

Fq  I  Ap  h  (p,p)  :  3?.(ref  t ::  rw  tA)  -\  ■ 


(6) 


Fo  I  Ap  h  p  :  (ref  t ::  rw  tA){plt}  H  • 

Fq  I  Ap  h  p  :  ref  p  ::  rwp  A{plt}  H  • 

Fo  I  Ap  h  p  :  ref  p  H  rw  p  A{p/t} 

Ap  <^A;„  rw  p  A{p/?} 

Fo  I  A(,  hp  :  refp  H  • 


by  (Values  Lemma)  with  (4). 
(note  that  we  will  omit  the  G  syntax  until  relevant,  for  clarity) 


Therefore: 

I  A'p,rw  p  A{p/J},  A  ^  A2  \-  H  ,  p^v 
Fo  I  rw  p  A{plt},  A®- A2\-H,p^v 

{Ho,  p^  v),Hi 

A'  =  A2  \  A"  ^  ^ 

Fo  I  rw  p  A{plt},  A  ®-  A2  \-  Hq  ,  p  V 
I  m  p  A{plt],  Ah  Ho  ,  p  ^  V 
Fo  I  A'  h  H, 

Fq  I  A  h  Ho 
Fo  I  Av  I-  V  :  A{plt]  H  • 

Fo  I  Av  h  (p,v)  :  3t.A  H  • 

Fo  I  Av,A  h  (p,  v)  :  3t.A  H  A 


Using: 

U  =  _ 

Ai  =  Av,A 

We  have: 

Tq^Fi  I  Ai  h  (p,  v)  :  3t.A  h  A 
Fo,Fi  I  Ai  h  //q 


(7) 

by  (Values  Inversion  Lemma)  with  (6). 

(8) 

by  (ls:2.6),  (ls:2.10),  (ls:2.1),  (ls:2.12)  with  (7). 

(9) 

by  (Values  Inversion  Lemma)  with  (8). 

(10) 
(11) 

by  (Values  Lemma)  with  (9). 

(12) 

by  inversion  on  (t:Ref)  with  (11). 

i.e.: 

(13) 

by  (Subtyping  Store  Typing)  using  (2),  (10)  and  (12). 

(14) 

(15) 

(16) 

(17) 

(18) 

by  (Store  Typing  Extension)  on  (13) 

(19) 

(20) 

by  (Store  Typing  Inversion  Lemma)  with  (17). 

(21) 

by  (t:Loc-Pack)  with  (20)  using  p. 

(22) 

by  (t:Frame)  with  (21)  using  A. 

—  G 

(because  (Values  Lemma)  ensures  that  A^  frame  is  immediate) 


(23) 

(24) 

(25) 

by  (22)  with  (23)  and  (24). 

(26) 
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_ _  ^  by  (19)  with  (23)  and  (24). 

fo,ri  1^  (g^^h//o  (27) 

by  (26)  and  (17)  since  p  is  a  unique  capability. 

To^ri  I  ^1  A2  h  H  (28) 

by  (Store  Typing  Extension)  on  (14),  (15),  (18),  (26)  and  (27). 
Therefore,  by  (25)  and  (28)  we  conclude. 


Case  (t:Assign)  -  We  have: 


To  I I- p  Vi  :  Ai  H  A,  rw  p  Aq  (1) 

Tq  I  Aq  ®-  A2  I-  //  ,  p  Vo  (2) 

(  //  ,  p  Vo  II  p  :=  vi  )  1-^  (  i7  ,  p  ^  vi  II  Vo  )  (3) 

by  hypothesis. 

To  I  ^0  I-  Vi  :  Ao  H  A^  (4) 

To  I  A'  h  p  :  ref  p  H  A,  rw  p  Ai  (5) 


by  inversion  on  (x: Assign)  with  (1). 


A)  <^vi,A' 

To  I  Avj  h  vi  :  Ao  H  • 

A'  <:  Ap,  A,  rwpAi 
To  I  Ap  hp  :  refp  H  • 

Ap  =  • 

To  I  Avi ,  A,  rw  p  Ai  ®-  A2  h  i7  ,  p  ^  Vo 

^ ,  P  ^  vq  =  (Ho  ,  p  Vo),  Hi 
A'  = _A2j^A"  _ 

I  A,rwpAi  ®-  A"  h  i7o  ,  P  ^  Vo 
Tq  I  Ai,  A,rwpAi  h  i7o  ,  P  ^  Vo 
To  I  A'  h  Hi 

To  I  Ayj,  Avg,  A  \-  Ho 
To  I  Ayg  h  Vo  :  Ai  H  • 

To  I  Ayg,  A,  rw  p  Ao  I-  i7o  ,  P  ^  vi 


(6) 

(7) 

by  (Values  Lemma)  on  (4). 

(8) 

(9) 

by  (Values  Lemma)  on  (5). 

(10) 

by  inversion  on  (t:Ref)  with  (9). 

(11) 

by  (Subtyping  Store  Typing)  with  (2),  (6)  and  (8). 

(12) 

(13) 

(14) 

(15) 

(16) 

by  (Store  Typing  Extension)  on  (1 1) 

(17) 

(18) 

by  (Store  Typing  Inversion  Lemma)  on  (15). 

(19) 

by  (str:Binding)  with  p  on  (7)  and  (17). 


by  making: 


Ti^- _ 

To,  Li  I  Ayg,  A,  rw  p  Ao  Ho  ,  p  ^  Vi 
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(20) 

(21) 


by  (Weakening)  with  (19). 

(22) 

by  (Weakening)  on  (18). 

(23) 

by  (t:Frame)  using  A,  rw  p  Aq  with  (22). 

. —  G 

(note  that  by  (Values  Lemma)  ) 

(24) 

by  (Store  Typing  Extensions)  on  (21). 


Note  that  (24)  is  a  valid  step  sinee  the  extension  eannot  refer  the  fresh  (and  non-shared)  ea- 
pability  and,  therefore,  sueh  ehange  of  eontents  eannot  interfere  with  A2  sinee  that  eapability 
eannot  oeeur  twiee.  From  now  on,  we  abbreviate  the  use  of  the  (Store  Typing  Extension) 
lemma  sinee  it  is  analogous  to  previous  oases. 


(t:Dereference-Linear)  -  We  have: 

To  1  Ao  h  !p  :  A  H  A,  rw  p  [] 

(1) 

Eq  I  Aq  A2  \-  H  ,  p  — >  V 

(2) 

(  //  ,  p  V  II  !p  )  1-^  (  H  ,  p  ^  V  II  V  ) 

(3) 

Eo  1  Ao  hp  :  refp  H  A,rwp  [] 

by  hypothesis,  (d: Dereference). 

(4) 

Ao  <:  Ap,  A,  rwp  A 

by  inversion  on  (t:Dereference-Einear)  with  (1). 

(5) 

Eo  1  Ap  h  p  :  ref  p  H  • 

(6) 

Ap  =  • 

by  (Values  Eemma)  on  (4). 

(7) 

Ao  <:  A,rwp  A 

by  (Values  Inversion  Eemma)  on  (6). 

(8) 

Eo  1  A,  rw  p  A  ®-  A2  h  //  ,  p  V 

by  rewriting  (5)  with  (7). 

(9) 

Eo  1  Ay  h  V  :  A  H  • 

by  (Subtyping  Store  Typing)  with  (8)  and  (2). 

(10) 

Eo  1  A,  Ay  h  Hq 

(11) 

by  (Store  Typing  Extension)  with  (9)  and  (Store  Typing  Inversion  Eemma). 


We  omit  a  few  steps  of  using  (Store  Typing  Extension)  sinee  they  are  analogous  to  previous 
oases. 

Eo  I  •  h  V  :  []  H  • 


To,  El  I  Avg  h  Vo  :  Ai  H  • 

Eo,Ei  I  A^g,  A,rwpAo  i-  vq  :  Ai  H,  A,rwpAo 

Eo,Ei  I  Avg,  A,rwpAo®-  A2  \-  H  ,  p  ^  vi 
Therefore,  by  (13)  and  (24)  we  oonolude. 
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(12) 

by  (t:Unit)  with  value  v. 


Fo  I  A,  Av,  rw  p  []  h  i^o  ,  P  V 


(13) 

by  (str:Binding)  using  p,  (11)  and  (12). 


by  making: 

TcTi  I  A,Av,rwp  []  \-  Hq  ,  p  ^  v 

To,  Fi  I  Av  h  V  :  A  H  • 

ro,ri  I  Av,  A,rwp  []  h  V  :  A  H  A,rwp  [] 

Fo,Fi  I  A,  Av,rwp  []  ®-  A2  h  ,  p  ^  v 
Therefore,  by  (18)  and  (17)  we  conclude. 
Case  (t:Dereference-Pure)  -  We  have: 


(14) 

(15) 

by  (Weakening)  using  Fi  on  (13). 

(16) 

by  (Weakening)  using  Fi  on  (10). 

(17) 

by  (t:Frame)  using  A,  rw  p  []  on  (16). 

(18) 

by  (Store  Typing  Extension)  on  (15). 


To  I  Ao  h  !p  :  !A  H  A,  rw  p  !A 

Fq  I  Aq  A2  \-  H  ,  p  — >  V 

(  //  ,  p  V  II  !p  )  1-^  (  ,  p  ^  V  II  V  ) 


(1) 

(2) 

(3) 


Fq  I  Ao  h  p  :  ref  p  H  A,  rw  p  !A 

A()  <:  Ap,  A,  rw  p  !A 
Fo  I  Ap  h  p  :  ref  p  H  • 


by  hypothesis,  with  (d: Dereference). 

(4) 

by  inversion  on  (t:Dereference-Pure)  with  (1). 

(5) 

(6) 

by  (Values  Lemma)  on  (4). 

(7) 

by  (Values  Inversion  Lemma)  on  (6). 

(8) 

by  rewriting  (5)  with  (7). 

(9) 

by  (Subtyping  Store  Typing)  with  (8)  and  (2). 

(10) 
(11) 

by  (Store  Typing  Extension)  with  (9)  and  (Store  Typing  Inversion  Lemma). 

(12) 

(13) 

by  (Values  Inversion  Lemma)  on  (10). 

(14) 

by  rewriting  (11)  with  (12). 


Ap  -  • 


A()  <:  A,rw  p  !A 

Fo  I  A,  rw  p  \A®-  A2  H  ,  p  ^  V 

Fo  I  Ay  h  V  :  !A  H  • 

Fo  I  A,  Ay  h  Hq 


Fo  I  •  h  V  :  !A  H 

Fo  I  A  h  T/o 


by  making: 
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Fi  _ 

FcTi  I  A,rwp  \Ah  Ho,  p^v 
Fq,  Fi  I’l-vrlAH- 

Fq,  Fi  I  A,  rw  p  !A  h  V  :  !A  H  A,  rw  p  \A 

Fq,  Fi  I  A,  Av,  rw  p  !A  ®-  A2  h  //  ,  p  V 
Therefore,  by  (18)  and  (19)  we  eonelude. 


(15) 

(16) 

by  (Weakening)  using  Fi  on  (9). 

(17) 

by  (Weakening)  using  Fi  on  (13). 

(18) 

by  (t:Frame)  using  A,  rw  p  lA  on  (16). 

(19) 

by  (Store  Typing  Extension)  on  (16). 


Case  (t:Record)  -  is  a  value. 
Case  (t: Selection)  -  We  have: 


rolAoh{£  =  v}.f,  :AH  A  (1) 

Fq  I  Aq  ®—  A2  H  (2) 

(//||{£^}.f,}^(//||v,)  (3) 

by  hypothesis,  with  (d:Selection). 

fo  I  Ao  h  {f^}  :  [JTA]  h  a  (4) 

by  inversion  on  (t:Selection)  with  (1). 
Ao<:A',A  (5) 

Fol  A' h  {f  =  v}  :  [f  :A]  H  •  (6) 

by  (Values  Lemma)  on  (4). 

Fq  I  A'  h  Vi  :  A, -I  •  (7) 

by  (Values  Inversion  Lemma)  with  (6) . 

Fq  I  A',  A  h  V,'  :  Ai  H  A  (8) 

—  —G 

by  (t:Frame)  with  A  with  (7)  (A'  by  (Values  Lemma)). 
13)1  A',A(g^  A2  h//  (9) 

by  (Subtyping  Store  Typing)  with  (2)  and  (5). 


Therefore,  by  making: 

5  =  _  (10) 

Ai  =  A'^A  _  (11) 

Fo,Fi  I  Ai(g^A2h//  (12) 

by  (Weakening)  with  (10)  on  (9)  and  rewriting  (9)  using  (11). 
fcFil^  hv,:AHA  (13) 

by  (Weakening)  with  (10)  on  (8)  and  rewriting  (8)  using  (11). 


Therefore,  by  (12)  and  (13)  we  conclude. 


Case  (t: Application)  -  We  have: 
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Tq  I  “^0  ^  (fun(x  ;  Aq).^)  V  ’  Ai  H  A 

(1) 

Fq  I  A()  ®—  A2  1-  Hq 

(2) 

<  Ho  II  (fun(;c :  Ao).e)  v)  {Ho\\  e{vlx] ) 

(3) 

Fq  I  Aq  h  fLin(^  ;  Ao).£  ;  Aq  —0  Ai  H  A' 

by  hypothesis. 

(4) 

Fq  I  A'  h  V  *  Aq  h  a 

(5) 

Aq  <:  A',A^ 

by  inversion  on  (x: Application)  with  (1). 

(6) 

Fq  I  Ay  h  fLin(^  ;  Aq).^  ;  Aq  —0  Aj  H  • 

(7) 

5  <i^A,A; 

by  (Values  Lemma)  on  (4). 

(8) 

To  1  A'  h  V  :  Aq  H  • 

(9) 

Fq  I  Ay,  X  :  Aq  \-  e  :  Ai  -\  ■ 

by  (Values  Lemma)  on  (5). 

(10) 

V  =  fun(;c :  Ao).e 

(11) 

Aq  <:  Aq 

(12) 

To  1  A' ,  Ay,  A  h  V  :  Aq  H  Ay,  A 

by  (Values  Inversion  Lemma)  with  (7). 

J13) 

Fq  I  Ay,  X  ’  Aq,  a  6  Aj  H  A 

by  (t:Frame)  on  (9)  with  Ay,  A. 

(14) 

Fq  I  Ay,  a;,  a  h  e{v/4  :  Ai  H  A 

by  (t:Frame)  on  (10)  with  A. 

(15) 

by  (Substitution  Lemma  -  Linear)  with  (13)  and  (14). 

By  making: 

5  =  • _ 

Ai  =  Ay,  a;,  a 

We  immediately  have: 

Fo,Fi  Ai  h  e{vlx}  :  Ai  H  A 

(16) 

Fq,  Fi  1  A',  Ay  ®-  A2  1-  Hq 

with  (15). 
(17) 

Fq,  Fi  1  A,  A[,  Ay  ®-  A2  1-  Ho 

by  (Subtyping  Store  Typing)  with  (2)  and  (6). 

(18) 

Fo,Fi  1  Ai  ®-  A2  1-  Hq 

by  (Subtyping  Store  Typing)  with  (17)  and  (8). 

(19) 

Therefore,  by  (16)  and  (19)  we  conclude. 

Case  (t:Function)  -  is  a  value. 

Case  (t:Forall-Loc)  -  is  a  value. 
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by  renaming  the  environment. 

Case  (t:Loc-App)  -  We  have: 


To  1  Ao  h  ((tMlp]  :  A{p/t}  H  A 

(1) 

Tq  I  Ao  ®-  A2  1-  Hq 

(2) 

{H^\\{{t)e)[p])^{Ho\\e{plt}) 

(3) 

Tq  I  Ao  h  (t)  ^  :  ^t.A  H  A 

by  hypothesis,  with  (d:LocApp). 

(4) 

p  :  loc  6  Tq 

(5) 

Ao  <(^A,  Av 

by  inversion  on  (t:Loc-App)  with  (1). 

(6) 

Tq  I  Ay  h  {f)  6  :  Vt.A  H  • 

(7) 

Tq,  t :  loc  Ay  h  e  :  A  H  • 

by  (Values  Lemma)  on  (4). 

(8) 

To,  t :  loc  Ay,  A  h  c  :  A  H  A 

by  (Values  Inversion  Lemma)  with  (7). 

(9) 

Tolp/O  1  Ay{p/t},  A{p/t}  h  e{plt]  :  A{p/t}  H  A{p/t} 

by  (t:Frame)  with  A  on  (8). 

(10) 

by  (Substitution  Lemma  -  Location  Variable)  on  (5)  and  (9). 

Lo  I  Av,  A  h  e{p/t}  :  A{p/t}  H  A  _  (11) 

since  t  cannot  occur  in  Lq,  A^,  A  (is  fresh  in  conclusion)  and  (10). 


By  making: 

5  =  _ 

Ai  =  A„A 
We  trivially  have: 

fo,f;|^  he{p/t}:A{p/t}HA  (12) 

with  (11). 

ro,ri  I  Ai  ®-  A2  h  Hq  (13) 

by  (Subtyping  Store  Typing)  using  with  (2)  and  (6). 
Therefore,  by  (12)  and  (13)  we  conclude. 

Case  (t:Loc-Pack)  -  Is  a  value. 

Case  (t:Loc-Open)  -  We  have: 


To  I  Ao  h  open  {t,x)  =  (p,v)  in  e  end  :  Ai  h  A  (1) 

To  I  Ao  ®-  A2  I-  Hq  (2) 

(  Hq  II  open  {t,  x)  =  (p,  v)  in  e  end  )  ^  (  Hq  ||  e{plt]{vlx} )  (3) 

by  hypothesis,  (d:LocOpen). 

To  I  Aq  I-  (p,  v)  :  3t.Ao  H  A'  (4) 

To,  t :  loc  I  A',  A  :  Ao  I-  e  :  Ai  H  A  (5) 
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by  inversion  on  (t:Loc-Open)  with  (1). 


A'  (6) 

To  I  Ay  h  (p,  v)  :  3t.Ao  H  •  (7) 

by  (Values  Lemma)  with  (4). 

Lq  I  Ay  h  V  :  Aolp/t}  H  •  (8) 

by  (Values  Inversion  Lemma)  with  (7). 
p  :  loc  e  Lo  (9) 

by  well-formed  types  of  (8). 

Lolp/t}  I  A'{p/t},;c :  Ao{p/t}  i-  e{plt]  :  Ai{p/t}  H  A{p/t}  (10) 

by  (Substitution  Lemma  -  Loeation  Variable)  with  (5)  and  (9). 
To  I  ^  V  :  AQ{plt}  H  A'  ^  (11) 

by  (t:Frame)  with  A'  on  (8). 

Lq  I  Ao  I-  V  :  Aoip/t]  H  A'  (12) 

by  (t:Subsumption)  with  (6)  and  (11). 

Lolp/O  I  Aolp/O  I-  v{p/t}  :  Aolp/O  H  A'{p/t}  (13) 

by  (Substitution  Lemma  -  Loeation  Variable)  with  (9)  and  (12). 

Lolp/O  I  Aolp/O  I-  e{plt]{vlx}  :  Ai{p/t}  H  A{p/t}  (14) 


by  (Substitution  Lemma  -  Linear)  with  (13)  and  (10). 

By  making: 

Ai  =  Ao 

We  immediately  have: 

ro{p/t},ri  I  Ailp/O  h  e{plt]{vlx]  :  Ai{p/t}  H  A{p/t}  (15) 

with  (14). 

ro,ri  I  Ai  h  e{plt]{vlx]  :  Ai  H  ^  ^  ^  (16) 

sinee  Lq,  Ai  and  A  are  elosed,  t  is  fresh  in  the  eonelusion  and  (14). 
ro,ri  I  Ai  ®- A2 1- t/q  ___  (17) 

by  (Weakening)  with  Li  on  (2). 

Therefore,  by  (16)  and  (17)  we  eonelude. 

Case  (t:Forall-Type)  -  is  a  value. 

Case  (t:Type-App)  -  Analogous  to  (t:Loc-App). 

Case  (t:Type-Pack)  -  is  a  value. 

Case  (t:Type-Open)  -  Analogous  to  (t:Loc-Open). 

Case  (t:Cap-Elim)  -  Not  applieable,  environment  not  elosed. 

Case  (t: Cap- Stack)  -  We  have: 
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Fq  I  I-  ::  Ai  h  a  (1) 

Fq  I  Aq  ®-  A2  I-  Hq  (2) 

<  //o  Iko  )  ^  <  //i  II  )  (3) 

by  hypothesis. 

Fq  I  Ao  I-  eo  •  ^0  ^  A,Ai  (4) 

by  inversion  on  (t:Cap-Stack)  on  (1). 
Fo,Fi  I  ®-  A2  I-  (5) 

Fo,Fi  I  Ai  h  ei  :  Aq  H  A,Ai  (6) 

for  some  Ai,ri. 

by  induction  hypothesis  on  (2),  (3)  and  (4). 
Fo,Fi  I  Ai  h  :  Aq  ::  Ai  H  A  (7) 

by  (t:Cap-Stack)  on  (6). 


Therefore,  by  (5)  and  (7)  we  conclude. 
Case  (t:Cap-Unstack)  -  We  have: 


Fq  I  Ao  I-  ^0  :  Ao  H  A,Ai  (1) 

Fq  I  Aq  ®-  A2  I-  Hq  (2) 

{HQ\\eQ)^{H,  II  )  (3) 

by  hypothesis. 

Fq  I  Ao  h  eo  •  ^0  "  ^1  ^  (4) 

by  inversion  on  (t:Cap-Unstack)  on  (1). 
Fo,Fi  I  Ai  ®-  A2  I-  Hi  (5) 

Fo,Fi  I  Aij-  e\  :  Aq  ::  Ai  H  A  (6) 

for  some  Ai,ri. 

by  induction  hypothesis  on  (2),  (3)  and  (4). 
Fo,Fi  I  Aij-  e^:  Aq  h  A,Ai  (7) 

for  some  Ai,ri. 

by  (t:Cap-Unstack)  on  (6). 


Therefore,  by  (5)  and  (7)  we  conclude. 
Case  (t: Subsumption)  -  We  have: 


To  I  I-  eoj^Ai  H  A  (1) 

Fq  I  Ao  ®-  A2  I-  Hq  (2) 

{HQ\\eQ)^{Hi  II  )  (3) 

by  hypothesis. 

5  <3  _  (4) 

Fq  I  Ap  h  eo  •  ^0  ^  A'  (5) 

AocAi  (6) 

A'  <:  A  (7) 
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by  inversion  on  (t:Subsumption)  with  (1). 

Fq  I  ®-  A2  I-  Hq  (8) 

by  (Subtyping  Store  Typing)  with  (2)  and  (4). 
ro,ri  I  Ai  ®-  A2  h  Hi  (9) 

ro,ri  I  Ai  h  :  Aq  H  A'  (10) 

for  some  Ai,ri. 

by  induction  hypothesis  on  (3),  (5)  and  (8). 
Fq,  Fi  I  Ai  h  :  Ai  H  A  (11) 


by  (t:Subsumption)  with  (6),  (7)  and  (10)  noting  that  Ai  <:  Ai. 
Therefore,  by  (9)  and  (11)  we  conclude. 

Case  (t:Tag)  -  is  a  value. 

Case  (t:Case)  -  We  have: 


To  I  Ao  h  case  l,#v,  of  lj#xj  —>  ej  end  :  A  -\  A  (1) 

Fq  I  Aq  ®-  A2  I-  Ho  (2) 

(  Ho  II  case  l,#v;  of  ^  ej  end  )  1-^  (  Ho  ||  ei{vi/xi} )  (3) 

by  hypothesis,  (d:Case). 

To  I  Aq  h  l;#v,-  :  Z,-  h#Ai  H  A'  (4) 

Yo\  A',Xi  :  Ai\- ei  :  A A  (5) 

i  <  j  (6) 

by  inversion  on  (d:Case)  with  (1). 
<^A„  A'  (7) 

To  I  A,  h  :  Z,-  h#Ai  H  •  (8) 

by  (Values  Lemma)  with  (4). 

Fq  I  Ay  h  Vi  :  A, -I  •  (9) 

for  some  i. 

by  (Values  Inversion  Lemma)  with  (8). 
Fq  I  Ay,  A'  h  Vi  :  A;  H  A  (10) 

by  (t:Frame)  on  (9)  with  A'. 

To  I  Ao  h  edvi/xi]  :  A  H  A  (11) 


by  (Substitution  Lemma  -  Linear)  with  (10)  and  (5),  for  some  i. 

By  making: 

Ai  =  Ao 

We  trivially  have: 
ro,Fi  I  Ai  h  edVi/Xi)  :  A  H  A 

Fo,Fi  I  Ai  ®-  A2  I-  Ho 
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(12) 
by  (11). 
(13) 


by  (2). 

Thus,  by  (12)  and  (13)  we  conclude. 

Case  (t:Alternative-Left)  -  We  have: 


To  I  Ao,Ao  ©  Ai  h  Co  •  ^2  H  A  (1) 

To  I  Ao,Ao  ©  Ai  ®-  A2  I-  Hq  (2) 

(  //o  Iko  )  ^  <  //i  II  )  (3) 

by  hypothesis. 

To  I  <^,^0  I-  Co  •  A2  H  A  (4) 

To  I  Ao,Ai  h  ^0  •  A2  H  A  (5) 

by  inversion  on  (x: Alternative-Left)  with  (1). 
By  (Store  Typing  Inversion  Lemma)  on  (2),  we  have  that  either: 

•  To  I  Ao,  Aq  ®-  A2  I-  Hq  (1-1) 

by  sub-ease  hypothesis. 

To,^  |§(g^A2h//i_  (1.2) 

ro,ri  I  Ai  h  ei  :  A2  -I  A  (1-3) 

for  some  Ai,ri. 

by  induction  hypothesis  with  (1.1),  (3)  and  (4). 

Therefore,  we  conclude. 

•  To  I  Ao,Ai  ®-  A2  I-  //q  (2.1) 

analogous  to  previous  sub-ease  but  using  (5). 

Thus,  we  conclude. 


Case  (t:Intersection-Right)  -  We  have: 


To  I  Ao  I-  ^0  :  A2  -I  A,Ao&Ai  (1) 

To  I  Ao  ®-  A2  I-  Hq  (2) 

(  //o  Iko  )  ^  <  //i  II  )  (3) 

by  hypothesis. 

Tq  I  I-  ^0  :  A2  -I  A,  Aq  (4) 

To  I  Ao  I-  Co  •  A2  -I  A,Ai  (5) 

by  inversion  on  (t:Intersection- Right)  with  (1). 

ro,ri  I  Ai  ®—  A2  h  Hi  (6) 

ro,ri  I  Aij-  ej^:  A2  -I  A,Ao  (7) 

for  some  Ai,ri. 

by  induction  hypothesis  with  (2),  (3)  and  (4). 

1^,1^  I  ^1  A2  I-  Hi^  (8) 

ro,ri  I  Aij-  ej^:  A2  -I  A,Ai  (9) 

for  some  Ai,ri. 

by  induction  hypothesis  with  (2),  (3)  and  (5). 
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To,  Ti  I  Ai  h  :  A2  H  A,  Aq&Ai 


(10) 

by  (t:Intersection-Right)  on  (7)  and  (9). 


Thus,  we  conclude. 

Case  (t:Frame)  -  We  have: 

Tq  I  Aq  A2  h  ^0  :  A  H  A  ®—  A2 
To  I  (Ao  ®-  A2)  ®-  A3  h  Hq 

{  HqW  cq)  ^  {  Hi  II  Cl  ) 

Tq  I  Aq  I-  ^0  •  ^  ^ 

^0  =  5,^ 

A'  =  A3  \  A^  _ 

To  I  (Ao  <g^  A2)  A"  h 
To  I  Ao  ®-  A2  I-  Hq 
fo  I  A^  h  //" 

{//',//"  II  eo}^  II  ei} 

{  //'  Iko  }  ^  {  //;  II  ei  } 

Toki  I  Aj  ®—  A2  I-  //j 
To,  Ti  I  Aij-  e^.  A  H  A 
for  some  Ai,ri. 

To,  r \  I  A|  ® —  A2  1“  :  A  H  A  ® —  A2 

To,  Ti  I  (Ao  ®-  A2)  ®-  A3  h  Hi 

(noting  that  A^  ( 
Therefore,  by  (14)  and  (15)  we  conclude. 


(1) 

(2) 

(3) 

by  hypothesis. 

(4) 

by  inversion  on  (t:Frame)  with  (1). 

(5) 

(6) 

(7) 

(8) 
(9) 

by  (Store  Typing  Extension)  on  (2) 

(10) 

by  the  support  of  the  expression  and  (3). 

(11) 

by  (10)  since  that  part  of  the  heap  is  not  used. 

(12) 

(13) 

by  induction  hypothesis  on  (4),  (8)  and  (11). 

(14) 

by  (t:Frame)  on  (13)  using  A2. 

(15) 

by  (Weakening)  and  (Store  Typing  Extension), 
only  include  shared  parts  thus  remains  correct) 


Case  (t:Let)  -  We  have  two  reductions: 

1.  Sub-Case  (d:LetCong): 

Eo  I  Ao  h  let  A  =  eo  in  62  end  :  Ai  h  A  (1) 

Eq  I  Ao  ®-  A2  I-  Hq  (2) 

<  Hq  II  let  A  =  eo  in  ei  end  )  1-^  <  ||  let  a  =  ei  in  62  end  >  (3) 

by  hypothesis. 
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{  HoW  eo)  {  Hi  II  ei  ) 

To  I  Ao  I-  eo  •  ^0  ^  A' 

To  I  A^,  X  Aq  h  62  •  Ai  H  A 

Fq,  Fj  I  Aj  ®—  A2  h  Hi 

To,  Fi  I  AoJ-  ei  :  Aq  H  A' 
for  some  Ai,ri. 

Fo,  Fi  I  A',  ;c :  Aq  I-  ^2  :  Ai  H  A 

Fo,Fi  I  Ai  h  let  ;c  =  ei  in  €2  end  :  Aj  h  A 

Therefore,  by  (9)  and  (6)  we  conclude. 


(4) 

by  inversion  on  (d:LetCong)  with  (3). 

(5) 

(6) 

by  inversion  on  (t:Let)  with  (1). 

(6) 

(7) 


by  induction  hypothesis  on  (2),  (4)  and  (5). 

(8) 

by  (Weakening)  on  (6). 

(9) 

by  (t:Let)  with  (7)  and  (8). 


2.  Sub-Case  (d:Let): 

Fo  I  Ao  h  let  .r  =  V  in  e  end  :  Ai  h  A 
Fq  I  Aq  ® —  A2  H 


(1) 

(2) 

(3) 

by  hypothesis 

(5) 

(6) 

by  inversion  on  (t:Let)  with  (1). 

(7) 

(8) 

by  (Values  Lemma)  with  (4). 

(9) 

by  (t:Frame)  with  (8). 

(10) 

by  (Substitution  Lemma  -  Linear)  with  (6)  and  (9). 

(11) 

by  (Subtyping  Store  Typing)  with  (2)  and  (7). 
Therefore,  by  (Weakening)  with  Fi  =  •  and  by  (10)  and  (11)  we  conclude. 


(  //  II  let  A  =  V  in  e  end  >  1-^  (  //  ||  e{v/4  ) 

Fo  I  Ao  I-  V  :  Aq  H  A' 

Fo  I  A',  jc :  Ao  I-  e  :  Ai  H  A 

\i  <^A„  A' 

To  I  Ay  h  V  :  Ao  H  • 


Fo  I  Ay,  A'  h  V  :  Ao  H  A' 

Fo  I  Ay,  A'  h  e{vlx}  :  Ai  H  A 
Fo  I  Ay,  A'  ®—  A2  I-  // 


Case  (t: Share)  -  We  have: 


Fo  I  A,Ao  I-  share  Ao  asAi  ||  A2  :  []  h  A,Ai,A2 
Fo  I  A,Ao  A2  h  H 
{  H  II  share  Ao  as  Ai  ||  A2 )  1-^  (  ||  {} ) 


(1) 

(2) 

(3) 

by  hypothesis. 
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^0  ^  II  ^2 


r  I  a,jA]^,jA2  A2 1“  H 


Fo  I  •  h  {}  :  []  H  . 

To  I  A,Ai,A2  I-  {}  :  []  h  A,Ai,A2 


(4) 

by  inversion  on  (t: Share)  with  (1). 

(5) 

by  (str:Shared)  with  (2)  and  (4). 
(the  application  of  (Store  Typing  Extension)  is  immediate) 

(6) 

by  (t:Unit)  with  v  =  {}. 

(7) 

by  (t:Frame)  on  (6). 


Thus,  by  making: 

fi=_ 

Ai  =  A,Ai,A2 

We  have,  through  (Weakening)  and  just  renaming  the  environment: 
rQ,ri  I A^  ® —  A2  H 

ro,ri  I  Ai  h  {}  :  []  H  A,Ai,A2 
Therefore,  by  (10)  and  (11)  we  conclude. 


(8) 

(9) 

(10) 
by  (5). 
(11) 
by  (7). 


Case  (t: Focus)  -  We  have: 


To  I  Ao  =>  Ai  h  focus  A  :  []  H  Ao,Ai  > 
Tq  I  Aq  Aj  ®—  A2  h  H 
{H\\iocusA)^{H\\  {}) 

A'  =  A2  \  A"  ^ 

To  I  Aq  =>  Ai  ®-  A2  I-  Hq 
To  I  Ao  =>  Ai  h  Hq 
To  I  A^  h  H, 


Ao  ^  Ao  =>  Ai  II  none 
To  I  Ao  I-  Hq 
To  I  Ao,  Ai  >  ■  \-  Hq 
Tq  I  Ao,Ai  >  •  ® —  A2  H 


(1) 
(2) 

(3) 

by  hypothesis. 

(4) 

(5) 

(6) 

(7) 

(8) 

by  (Store  Typing  Extension)  on  (2). 

(9) 

since  protocols  work  alone  and  Aq  must  be  the  initial  state. 

(10) 

by  (Store  Typing  Inversion  Eemma)  with  (7)  and  (9). 

(11) 

by  (str:Defocus)  with  (10)  since  the  protocol  must  conform. 

(12) 

by  reapplying  (Store  Typing  Extension). 


Note  that  any  other  protocol  to  that  state  that  may  exist  in  A2  must  still  compose  properly 
with  the  protocol  that  was  focused  on.  This  occurs  from  both  the  initial  hypothesis  (2)  that 
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ensures  all  already  existing  protocols  conform,  and  by  (Protocol  Conformance  Preservation) 
that  guarantees  protocol  conformance  remains  valid  regardless  of  which  protocol  is  stepped 
first. 


To  I  •  h  {}  :  []  H  •  (13) 

by  (t:Unit)  with  v  =  {}. 

fo|Ao,Ai>-h{}:[]HAo,Ai>-  (14) 

by  (t:Frame)  on  (13). 

Thus,  by  making  Ti  =  •  we  conclude  by  (12)  and  (14). 

Case  (t:Defocus)  -  We  have: 

To  I  Ao,Ao,  Ao;Ai  >  Aj  h  defocus  :  []  h  Ao,Ai,Ai  (1) 

To  I  (  A(),Ao,  Ao\Ai  >  Ai  )  ®-  A2  I-  //  (2) 

(//||defocus)^(//||{})  (3) 

by  hypothesis. 

=  (4) 

A'=A2\A"  _  _  (5) 

I  ( _A(),Ao,  Ao;  Ai  )  ®-  A"  I-  Hq  (6) 

I  ^,Ao,  Ao;  Ai  >  Ai  \-  Hq  (7) 

fo  I  A'  h  H,  (8) 

by  (Store  Typing  Extension)  on  (2). 

Ho  =  H',H''  (9) 

A'  =  Ai\A2  (10) 

^  ^Ai  II  A2  (11) 

fl)  I  W  h  (12) 

To  I  Ao,Ao  h  H'  (13) 

by  (Store  Typing  Inversion  Lemma)  with  (7). 
To  I  Ao,Ao,Ai  h  Hq  (14) 

by  (str:Share)  with  (9),  (10),  (11),  (12),  (13). 

foi(^,,Ao,Ai)(g^A2h//  (15) 

by  (Store  Typing  Extension)  on  (14). 

To  I  •  Ml  :  []  H  •  (16) 

by  (t:Unit)  with  v  =  {}. 

To  I  Ao,Ai,Ai  I-  {}  :  []  H  Ao,Ai,Ai  (17) 

by  (t:Erame)  on  (16). 

Thus,  by  making  Ti  =  •  we  conclude  by  (17)  and  (15). 

□ 
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B.12  Progress 

Theorem  4  (Progress).  If  e  is  a  closed  expression  such  that 

r  I  Aq  I-  eo  •  ^  ^  '^1 

then  either: 

(value)  eo  is  a  value  (v),  or; 

(steps)  if  exists  Hq  such  that  F  |  Aq  i-  //q  then 

(  II  ^0  )  II  ^1  )• 

Proof.  By  induction  on  the  typing  derivation  of  F  |  Aq  h  :  A  H  A. 

Case  (t:Ref),  (t:Pure),  (t:Unit),  (t:Pure-Read),  (t:Linear-Read),  (t:Pure-Elim)  -  are  all  values 
or  the  environments  are  not  closed. 

Case  (t:New)  -  We  have: 

F  I  Ao  h  new  v  :  3t.(ref  t  ::ry/ 1  A)  -\  Ai  (1) 

by  hypothesis. 

Which  is  not  a  value  but  transitions  by  (d:New). 

Thus,  we  conclude. 

Case  (t: Delete)  -  We  have: 

F  I  Ao  h  delete  v  :  3t.A  h  Ai  (1) 

by  hypothesis. 

F  I  Ao  h  V  :  3t.(ref  t ::  rw  t  A)  H  Ai  (2) 

by  inversion  on  (t:Delete)  with  (1). 
V  =  <p,p)  (3) 

by  (Values  Lemma)  and  (Values  Inversion  Lemma)  on  (2). 
Thus,  by  (d:Delete)  the  expression  transitions. 

Case  (t:Assign)  -  We  have: 

F  I  Ao  h  Vo  :=  vi  :  Ai  H  A2,rwpAo  (I) 

by  hypothesis. 

F  I  h  Vi  :  Ao  H  Ai  ^  (2) 

F  I  Ai  h  Vo  :  refp  H  A2,rwpAi  (3) 

by  inversion  on  (t: Assign)  with  (I). 
Vo  =  p  (4) 

by  (Values  Lemma)  and  (Values  Inversion  Lemma)  with  (3). 
Thus,  by  (d:Assign)  the  expression  transitions. 


143 


Case  (t: Dereference-Linear)  -  We  have: 


r  I  Ao  h  !v  :  A  H  Ai,rwp  []  (1) 

by  hypothesis. 

r  I  Ao  h  V  :  ref  p  H  Ai ,  rw  p  A  (2) 

by  inversion  on  (t:Dereference- Linear)  with  (1). 

V  =  p  (3) 

by  (Values  Lemma)  and  (Values  Inversion  Lemma)  with  (2). 
Thus,  by  (d: Dereference)  the  expression  transitions. 

Case  (t:Dereference-Pure)  -  Analogous  to  (t:Dereference-Linear). 

Case  (t:Record)  -  is  a  value. 

Case  (t: Selection)  -  We  have: 

f  |Aohv.£,-:AH^  (D 

by  hypothesis. 

r  I  Ao  h  V  :  [ITA]  h  Ai  (2) 

by  inversion  on  (t:Selection)  with  (1). 

V  =  {£  =  v'}  (3) 

by  (Values  Lemma)  and  (Values  Inversion  Lemma)  with  (2). 
Thus,  by  (d:Selection)  the  expression  transitions. 


Case  (t: Application)  -  We  have: 

T  I  Ao  I-  Vo  Vi  :  Ai  H  A2  (I) 

by  hypothesis. 

T  I  Ao  I-  Vo  :  Ao  -o  Ai  H  Ai  (2) 

T  I  Ai  h  vi  :  Ao  H  A2  (3) 

by  inversion  on  (t: Application)  with  (I). 
Vo  =  fun(A: :  A").e  Aq  <:  A!'  (4) 

by  (Values  Lemma)  and  (Values  Inversion  Lemma)  with  (2). 
Thus,  by  (d: Application)  the  expression  transitions. 


Case  (t: Function)  -  is  a  value. 

Case  (t:Forall-Loc)  -  is  a  value. 

Case  (t:Loc-App)  -  We  have: 

T  I  Ao  h  v[p]  :  A{p/t}  H  Ai  (1) 

by  hypothesis. 
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r  I  Aq  h  V  ;  ^t.A  H  Aj 


(2) 

by  inversion  on  (t:Loc-App)  with  (1). 
v  =  {t)e  (3) 

by  (Values  Lemma)  and  (Values  Inversion  Lemma)  with  (2). 
Thus,  by  (d:LocApp)  the  expression  transitions. 

Case  (t:Loc-Open)  -  We  have: 

r  I  Ao  h  open  (t,  x)  =  v\n  e  end  :  Ai  h  A2  (1) 

by  hypothesis. 

L  I  Aq  h  V  :  3t.Ao  H  Aj  (2) 

r,  t :  loc  I  Ai,  X  :  Ao  I- e  :  Ai  H  A2  (3) 

by  inversion  on  (t:Loc-Open)  with  (1). 
v  =  (p,v')  (4) 

by  (Values  Lemma)  and  (Values  Inversion  Lemma)  with  (2). 
Thus,  by  (d:LocOpen)  the  expression  transitions. 

Case  (t:Loc-Pack)  -  is  a  value. 

Case  (t:Forall-Type)  -  is  a  value. 

Case  (t:Type-App)  -  Analogous  to  (t:Loc-App)  but  using  (d:TypeApp). 

Case  (t:Type-Open)  -  Analogous  to  (t:Loc-Open)  but  using  (d:TypeOpen). 

Case  (t:Type-Pack)  -  is  a  value. 

Case  (t:Cap-Elim)  -  Environment  not  closed. 

Case  (t: Cap- Stack),  (t: Cap-Unstack)  -  By  direct  application  of  induction  hypothesis  on  the  in¬ 
version  of  each  of  the  typing  rules. 

Case  (t:Frame)  -  We  have: 


T  I  Aq  A2  l-  6  :  Aq  H  Aj  ®—  A2  (1) 

by  hypothesis. 

T  I  Aq  I-  c  :  Aq  -I  Aj  (2) 

by  inversion  on  (t:Frame)  with  (1). 
Then,  by  induction  hypothesis  on  (2),  we  have  that  either: 

•  e  is  a  value  (v),  or;  (3) 

•  if  exists  Ho  such  that  T  \  Aq  \-  Hq  then  {  HqW  e  )  e'  ^  (4) 

Then,  since  we  know  that  Aq  ®-  A2  then  exists  H2  such  that: 

T  I  Aq  ®—  A2  I-  Hq,  H2  (5) 

Therefore,  by  (5),  (3)  and  (4)  we  conclude. 


145 


Case  (t: Subsumption)  -  We  have: 


r  I  Ao  h  e  :  Ai  H  A3 


A()  ^  Ai  ^ 

r  I  Ai  h  e  :  Aq  H  A2 
Aq  <:  Ai 
A2  <:  A3 


(1) 

by  hypothesis. 

(2) 

(3) 

(4) 

(5) 

by  inversion  on  (t: Subsumption)  with  (1). 


If  exists  Hq  such  that: 

r|Aoh//o  (6) 

r  I  Ai  h  //o  (7) 

by  (Subtyping  Store  Typing)  with  (6)  and  (2). 
By  induction  hypothesis  on  (3),  we  have  that  either: 

•  e  is  a  value  (v),  or;  (8) 

.  ox{Ho\\e)^{H,\\e')  (9) 

Therefore,  we  conclude. 


Case  (t:Tag)  -  is  a  value. 
Case  (t:Case)  -  We  have: 


T  I  Ao  h  case  v  of  lj#Xj  ej  end  :  A  h  Ai 


T  I  Aq  h  V  :  Z,-  h#Ai  H  Ai 
T  I  Ai,Xi  :  Ai  h  e,-  :  A  H  A2 


i<j 

V  =  1,#V; 


by  inversion  on 


by  (Values  Lemma)  and  (Values  Inversion 
Thus,  by  (d:Case)  the  expression  transitions. 


(1) 

by  hypothesis. 

(2) 

(3) 

(4) 

(t:Case)  with  (1). 

(5) 

Lemma)  with  (2). 


Case  (t:Alternative-Left)  -  We  have: 


T  I  Aq,  Aq  ©  Ai  h  e  :  A2  H  Ai  (1) 

by  hypothesis. 

r  I  '^,Ao  e  :  A2  (2) 

r  I  Ao,Ai  h  e  :  A2  H  Ai  (3) 

by  inversion  on  (t: Alternative-Left)  with  (1). 

We  have  that  either: 

•  e  is  a  value  (v);  (4) 


Therefore  the  expression  is  a  value. 
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(5) 


•  If  exists  Hq  such  that  Y  \  Ao,Ao  ©  Aj  Hq 
By  (Store  Typing  Inversion  Lemma)  on  (5),  we  have  that  either: 

or|Ao,Aoh//o  (6) 

Then  by  induction  hypothesis  on  (2),  we  conclude  that: 

<  //o  Ik  )  ^  {  //'  Ik'  }  (7) 

Thus,  the  expression  steps,  since  e  cannot  be  a  value. 

or|Ao,Aih//o  (8) 

Then  by  induction  hypothesis  on  (3),  we  conclude  that: 

{H^\\e)^{H’Je')  (9) 

Thus,  the  expression  steps,  since  e  cannot  be  a  value. 

Therefore,  we  conclude. 

Case  (t:Intersection-Right)  -  Immediate  by  applying  the  induction  hypothesis  on  the  inversion 
of  the  typing  rule. 

Case  (t: Share)  -  We  have: 

T  I  A,Ao  I-  share  Ao  as  Ai  ||  A2 :  []  h  A,Ai,A2  (1) 

by  hypothesis. 

Then,  if  exists  Hq  such  that  T  |  A,  Aq  i-  //q  then  (1)  steps  by  (d:Share). 

Case  (t:Focus-Rely),  (t:Deeocus- Guarantee)  -  Analogous  to  previous  case  but  by  (d:Focus)  and 
(d:Defocus),  respectively. 


Case  (t:Let)  -  We  have: 


T  I  Ao  h  let  A  =  eo  in  ei  end  :  A  h  Ai 


T  I  h  eo  :  Aq  H  Ai  ^ 
T  \  Ai,x  :  Aq  \-  ei  :Ai  hA2 


By  induction  hypothesis  on  (2),  we  have  that  either: 

•  eo  is  a  value  (v); 

Thus,  by  (d:Let)  the  expression  transitions. 

•  if  exists  Hq  such  that  T  |  Aq  h  //q 

<  //o  Iko )  ^  { II  <  ) 

Thus,  by  (d:LetCong)  the  expression  (1)  transitions. 
Therefore,  we  conclude. 


(1) 

by  hypothesis. 

(2) 

(3) 

by  inversion  on  (t:Let)  with  (1). 

(4) 

(5) 

(6) 


□ 
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